Microsoft fixed an issue in Office 365 where an attacker could leverage it to send out malicious emails and make them look as if they were coming from a real microsoft.com address.
While testing the spam filters of email services such as Outlook 365, Gmail and Yandex, Utku Sen, a Turkey-based security enthusiast, found the flaw.
During his tests, conducted using the Social Engineering Email Sender (SEES) tool, Sen found Yandex identified some of his phishing emails as valid and marked them with a green icon after performing a DomainKeys Identified Mail (DKIM) verification.
The emails detected as valid came from a spoofed microsoft.com email address and they were forwarded through Outlook 365 to Yandex. Further analysis showed Gmail also accepted the fake microsoft.com emails forwarded from Outlook as legitimate.
The method only worked with emails coming from a spoofed microsoft.com address. When other domains ended up used, the fake emails went straight to the spam folder.
Reddit user “ptmb” said the problem was likely that Outlook was signing redirected messages with its own DKIM key.
“That means that instead of having an email with a proof of identity from the original sender, you received an email with a proof of identity from the ‘redirector’,” ptmb said. “And because Outlook was blindly signing these messages it was redirecting, if the message had a fake from field saying something(at)microsoft.com, then after Outlook blindly redirected it, it’d have a genuine DKIM signature from Microsoft by coincidence, even though the original email wasn’t from Microsoft at all.”
Sen told Microsoft and Yandex about his findings in September. Microsoft confirmed the issue and patched it in late October.
Yandex removed the green validation icon, but it’s unclear if it was due to Sen’s report.