What you need to know
- Microsoft Outlook has an issue causing it to display spoofed email addresses with information from genuine contacts.
- The vulnerability stems from how Microsoft Outlook handles certain mail extensions and mixed characters from different alphabets.
- This vulnerability could be targeted by phishing emails pretending to be from people's contacts.
A phishing campaign is taking advantage of Microsoft Outlook to trick people into believing spoofed emails are from genuine contacts. These spoofed emails trick the Address Book within Microsoft Office to show a person's contact information even though the emails come from spoofed Internationalized Domain Names (IDNs). As a result, people may see phishing emails that not only look like they come from a genuine email address, but they'll also show the contact details of the person the phishing email is imitating.
IDNs include a combination of Unicode characters, including those from the Latin and Cyrillic alphabets. Some characters from these alphabets look similar, so an attacker can make an email appear genuine at first glance.
These domains could appear identical or very similar to the naked eye (note that the "s" in the second domain above is slightly different than that in the first). Outlook showing the spoofed domain email within someone's contacts only makes phishing emails more convincing.
Dionach's Mike Manzotti also reported on the bug and shared a concept video of the issue. According to Manzotti, Microsoft has acknowledged the vulnerability but said it would not release a fix for it.
Microsoft told Manzotti:
Despite this comment, the issue appears to have been fixed. According to Manzotti's timeline, Microsoft Outlook 16.0.14228.20216 doesn't have the vulnerability anymore. Microsoft did not respond to Manzotti when asked to confirm the fix.
The report goes into technical detail, including the fact that Microsoft Outlook for Microsoft 365 doesn't validate addresses in the Multipurpose Internet Mail Extensions (MIME).
To everyday users, the technical aspects aren't what's important. Instead, people need to be aware that Outlook has a security issue and that they need to update to the latest version. It's also important to note that the issue has not been replicated with a browser using Outlook Web Access.
Sean Endicott is the news writer for Windows Central. If it runs Windows, is made by Microsoft, or has anything to do with either, he's on it. Sean's been with Windows Central since 2017 and is also our resident app expert. If you have a news tip or an app to review, hit him up at firstname.lastname@example.org.
Get the best of Windows Central in in your inbox, every day!
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.