What you need to know
- Microsoft Outlook has an issue causing it to display spoofed email addresses with information from genuine contacts.
- The vulnerability stems from how Microsoft Outlook handles certain mail extensions and mixed characters from different alphabets.
- This vulnerability could be targeted by phishing emails pretending to be from people's contacts.
A phishing campaign is taking advantage of Microsoft Outlook to trick people into believing spoofed emails are from genuine contacts. These spoofed emails trick the Address Book within Microsoft Office to show a person's contact information even though the emails come from spoofed Internationalized Domain Names (IDNs). As a result, people may see phishing emails that not only look like they come from a genuine email address, but they'll also show the contact details of the person the phishing email is imitating.
IDNs include a combination of Unicode characters, including those from the Latin and Cyrillic alphabets. Some characters from these alphabets look similar, so an attacker can make an email appear genuine at first glance.
This means if a company's domain is 'somecompany[.]com', an attacker that registers an IDN such as 'ѕomecompany[.]com' (xn--omecompany-l2i[.]com) could take advantage of this bug and send convincing phishing emails to employees within 'somecompany.com' that used Microsoft Outlook for Windows.
These domains could appear identical or very similar to the naked eye (note that the "s" in the second domain above is slightly different than that in the first). Outlook showing the spoofed domain email within someone's contacts only makes phishing emails more convincing.
Dionach's Mike Manzotti also reported on the bug and shared a concept video of the issue. According to Manzotti, Microsoft has acknowledged the vulnerability but said it would not release a fix for it.
Microsoft told Manzotti:
We've finished going over your case, but in this instance it was decided that we will not be fixing this vulnerability in the current version and are closing this case. In this case, while spoofing could occur, the senders identity cannot be trusted without a digital signature. The changes needed are likely to cause false positives and issues in other ways.
Despite this comment, the issue appears to have been fixed. According to Manzotti's timeline, Microsoft Outlook 16.0.14228.20216 doesn't have the vulnerability anymore. Microsoft did not respond to Manzotti when asked to confirm the fix.
The report goes into technical detail, including the fact that Microsoft Outlook for Microsoft 365 doesn't validate addresses in the Multipurpose Internet Mail Extensions (MIME).
To everyday users, the technical aspects aren't what's important. Instead, people need to be aware that Outlook has a security issue and that they need to update to the latest version. It's also important to note that the issue has not been replicated with a browser using Outlook Web Access.