Another week, another Microsoft security flaw, this time one that allows virtually anyone to impersonate Microsoft corporate email accounts.
Security researcher Vsevolod Kokorin discovered the bug and reported it to Microsoft. Unfortunately, Microsoft ignored his report, saying it could not reproduces his results. Kokorin then took to X in an effort to shed light on the issue, demonstrating that it was indeed a valid attack vector.
It appears that posting to X finally got Microsoft’s attention, as the company finally acknowledged the issue and reopened some of of Kokorin’s bug reports.
Unfortunately, Kokorin’s experience is not unique. In fact, Kokorin referenced another researcher’s similar experience. In that experience as well, a researcher provided findings to Microsoft, only to be ignored. She ultimately took to X as well to prove the issue was real.
Both of these incidents are concerning, especially given Microsoft’s recent security issues. The company experienced a massive Exchange breach last year, one that impacted a slew of organizations, including government entities.
In the wake of those breaches, Microsoft pivoted to a security-first approach, with CEO Satya Nadella saying executives should prioritize security above all else. Unfortunately, Microsoft’s team ignoring reproduceable bugs of this magnitude—not to mention one that impacts email—is not a good look for a company focused on “security above all else.”