Do you send emails on Hotmail or Outlook? You could be under threat from dangerously convincing scams.
A freshly uncovered glitch in these services will allow hackers make scam emails look like they've been sent from a legitimate account, a security expert has cautioned millions of Hotmail users.
Vsevolod Kokorin — better known by his online moniker, Slonser — unearthed a bug that allows anyone to spoof from official domains, like @microsoft.com or @gov.uk, for example. One of the most reliable ways to unmask a scam email is to check the recipient's email address to see whether it matches.
What makes this latest scam so terrifying is that the email address that the scam originated from will appear to match. To demonstrate the damage that could be caused, Vsevolod Kokorin shared a screenshot on X, formerly known as Twitter, proving that he sent emails that appeared to come from security@microsoft.com.
At a glance, this is indistinguishable from an official communication from the US company.
Phishing attempts use a variety of tricks to convince email recipients they're from a reputable company. This makes it easier to trick users into revealing passwords or credit card numbers or downloading a linked file.
With the ability to mask their email so that it appears indistinguishable from a legitimate address, hackers could convince millions to hand out deeply personal information.
Fortunately, Microsoft is taking action — although, at the time of writing, the bug fix has not yet been released.
Although Vsevolod Kokorin initially struggled to convince Microsoft to look into his research, when his post on X went viral, the Redmond-based company decided to investigate further.
In an interview with TechCrunch, he elaborated: "Microsoft just said they couldn’t reproduce it without providing any details. Microsoft might have noticed my tweet because a few hours ago they reopen [sic] one of my reports that I had submitted several months ago."
“I did not expect my post to get such a reaction. Honestly, I just wanted to share my frustration because this situation made me sad,” he said.
"Many people misunderstood me and think that I want money or something like that. In reality, I just want companies not to ignore researchers and to be more friendly when you try to help them."
The glitch only works when sending emails directly to Outlook accounts. Emails sent to rival providers, like Gmail and Yahoo, will not show the official domain, Vsevolod Kokorin warned.
While Gmail remains the biggest email provider on the planet, with roughly 1.8 billion users worldwide, Outlook has a considerable 400 million users. That's still a tempting prospect for hackers looking to leverage this bug.
Vsevolod Kokorin has not revealed exactly how the scam works over fears that bad actors will use the issue to trick millions. We're likely to find out more about this trick when Microsoft releases the patch.
LATEST DEVELOPMENTS
The US company recently announced plans to step up security for its email users, pushing a new standard to all Outlook users. Unfortunately, one of the side effects of this upgrade is the loss of Gmail support.
Want to avoid falling for phishing scams? Follow this best practice to avoid falling victim to hackers —
- Verify the Sender | Of course this won't work for Hotmail and Outlook users right now, but as soon as the bug fix is live, checking the email address to ensure it matches the sender's legitimate address will return to being one of the best ways to spot a scam. Be cautious of slight variations in domain names, like hackers using an "0" instead of an "o" to try to appear legitimate
- Look for Red Flags | Be wary of emails with urgent requests, misspellings, grammatical errors, or unfamiliar greetings. Phishing emails often create a sense of urgency to prompt hasty actions
- Never Click The Links | Avoid clicking on links or downloading attachments from unsolicited emails. Hover over links to see the actual URL before clicking
- Enable Multi-Factor Authentication (MFA) On Your Account | Protect your accounts by enabling MFA, adding an extra layer of security beyond just a password
- Educate Yourself and Others | Stay informed about common phishing techniques and share this knowledge with friends, family, and colleagues. If you receive an unexpected request for sensitive information, contact the sender through a known, trusted method to double-check the claim
- Report Suspicious Emails | Report phishing emails to your email provider or relevant authorities to help prevent future scams
