What you need to know
- Microsoft Outlook has an issue causing it to display spoofed email addresses with information from genuine contacts.
- The vulnerability stems from how Microsoft Outlook handles certain mail extensions and mixed characters from different alphabets.
- This vulnerability could be targeted by phishing emails pretending to be from people's contacts.
A phishing campaign is taking advantage of Microsoft Outlook to trick people into believing spoofed emails are from genuine contacts. These spoofed emails trick the Address Book within Microsoft Office to show a person's contact information even though the emails come from spoofed Internationalized Domain Names (IDNs). As a result, people may see phishing emails that not only look like they come from a genuine email address, but they'll also show the contact details of the person the phishing email is imitating.
IDNs include a combination of Unicode characters, including those from the Latin and Cyrillic alphabets. Some characters from these alphabets look similar, so an attacker can make an email appear genuine at first glance.
These domains could appear identical or very similar to the naked eye (note that the "s" in the second domain above is slightly different than that in the first). Outlook showing the spoofed domain email within someone's contacts only makes phishing emails more convincing.
Dionach's Mike Manzotti also reported on the bug and shared a concept video of the issue. According to Manzotti, Microsoft has acknowledged the vulnerability but said it would not release a fix for it.
Microsoft told Manzotti:
Despite this comment, the issue appears to have been fixed. According to Manzotti's timeline, Microsoft Outlook 16.0.14228.20216 doesn't have the vulnerability anymore. Microsoft did not respond to Manzotti when asked to confirm the fix.
The report goes into technical detail, including the fact that Microsoft Outlook for Microsoft 365 doesn't validate addresses in the Multipurpose Internet Mail Extensions (MIME).
To everyday users, the technical aspects aren't what's important. Instead, people need to be aware that Outlook has a security issue and that they need to update to the latest version. It's also important to note that the issue has not been replicated with a browser using Outlook Web Access.
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at email@example.com.