Malicious actors are using social engineering tactics to exploit Microsoft Outlook’s vulnerability and send emails to users, making impersonators seem credible.
In one attack, a test spoof email bypassed Outlook’s security layers and even seemed like an authentic email from a legitimate user, alongside displaying the Active Directory address. This address contains photos, files shared between users, recipients’ email addresses and phone numbers.
Outlook does not require email authentication such as Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM) checks, indicating it prioritises productivity over security.
Spoofing is also made easier, because Microsoft does not require verification before updating the user image on an email, and it will display all contact data for a user, even if that user has an SPF fail, the firm added.
Employing email security tools for scanning files and links, and ensuring the organisation has layered security can help mitigate risks while using Microsoft Outlook.