Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Office 365 Flaw Made Fake Microsoft Emails Look Legitimate

A flaw in Office 365 could have been exploited by attackers to send out malicious emails and make them look as if they were coming from a legitimate address.

A flaw in Office 365 could have been exploited by attackers to send out malicious emails and make them look as if they were coming from a legitimate address.

The issue was discovered by Utku Sen, a Turkey-based security enthusiast known for releasing an open source ransomware called Hidden Tear for educational purposes.

Sen found the issue while testing the spam filters of email services such as Outlook 365, Gmail and Yandex. During his tests, which he conducted using the Social Engineering Email Sender (SEES) tool, the expert noticed that Yandex identified some of his phishing emails as valid and marked them with a green icon after performing a DomainKeys Identified Mail (DKIM) verification.

It turned out that the emails detected as valid came from a spoofed email address and they were forwarded through Outlook 365 to Yandex. Further analysis showed that Gmail also accepted the fake emails forwarded from Outlook as legitimate.

The method only worked with emails coming from a spoofed address. When other domains were used, the fake emails went straight to the spam folder.

Sen was unable to figure out the cause, but Reddit user “ptmb” said the problem was likely that Outlook was signing redirected messages with its own DKIM key.

“That means that instead of having an email with a proof of identity from the original sender, you received an email with a proof of identity from the ‘redirector’,” ptmb explained. “And because Outlook was blindly signing these messages it was redirecting, if the message had a fake from field saying something(at), then after Outlook blindly redirected it, it’d have a genuine DKIM signature from Microsoft by coincidence, even though the original email wasn’t from Microsoft at all.”

Sen informed both Microsoft and Yandex about his findings in September. Microsoft confirmed the issue and patched it in late October, and listed the researcher on its acknowledgements page. Yandex removed the green validation icon, but it’s unclear if it was due to the expert’s report.

Related Reading: Email Is Forever – and It’s Not Private

Related Reading: Cisco Patches 9 Flaws in Email Security Appliance

Related Reading: Hackers Can Hijack Dell Email Security Appliances

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...