Microsoft Outlook exposed to old-school phishing attacks due to bug

Outlook vs Windows Mail
Outlook vs Windows Mail (Image credit: Windows Central)

What you need to know

  • Microsoft Outlook has an issue causing it to display spoofed email addresses with information from genuine contacts.
  • The vulnerability stems from how Microsoft Outlook handles certain mail extensions and mixed characters from different alphabets.
  • This vulnerability could be targeted by phishing emails pretending to be from people's contacts.

A phishing campaign is taking advantage of Microsoft Outlook to trick people into believing spoofed emails are from genuine contacts. These spoofed emails trick the Address Book within Microsoft Office to show a person's contact information even though the emails come from spoofed Internationalized Domain Names (IDNs). As a result, people may see phishing emails that not only look like they come from a genuine email address, but they'll also show the contact details of the person the phishing email is imitating.

IDNs include a combination of Unicode characters, including those from the Latin and Cyrillic alphabets. Some characters from these alphabets look similar, so an attacker can make an email appear genuine at first glance.

An example is shared by "Dobby1Kenobi," who discovered the vulnerability in Outlook (via ArsTechnica):

This means if a company's domain is 'somecompany[.]com', an attacker that registers an IDN such as 'ѕomecompany[.]com' (xn--omecompany-l2i[.]com) could take advantage of this bug and send convincing phishing emails to employees within 'somecompany.com' that used Microsoft Outlook for Windows.

These domains could appear identical or very similar to the naked eye (note that the "s" in the second domain above is slightly different than that in the first). Outlook showing the spoofed domain email within someone's contacts only makes phishing emails more convincing.

Dionach's Mike Manzotti also reported on the bug and shared a concept video of the issue. According to Manzotti, Microsoft has acknowledged the vulnerability but said it would not release a fix for it.

Microsoft told Manzotti:

We've finished going over your case, but in this instance it was decided that we will not be fixing this vulnerability in the current version and are closing this case.  In this case, while spoofing could occur, the senders identity cannot be trusted without a digital signature. The changes needed are likely to cause false positives and issues in other ways.

Despite this comment, the issue appears to have been fixed. According to Manzotti's timeline, Microsoft Outlook 16.0.14228.20216 doesn't have the vulnerability anymore. Microsoft did not respond to Manzotti when asked to confirm the fix.

The report goes into technical detail, including the fact that Microsoft Outlook for Microsoft 365 doesn't validate addresses in the Multipurpose Internet Mail Extensions (MIME).

To everyday users, the technical aspects aren't what's important. Instead, people need to be aware that Outlook has a security issue and that they need to update to the latest version. It's also important to note that the issue has not been replicated with a browser using Outlook Web Access.

Sean Endicott
News Writer and apps editor

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.