Am I the crazy one here or is this terrible design?

In our company we get tested from time to time for phishing attacks and we are well versed in spotting the fakes. Most of the time over 90% of people have no problems passing.

Few days ago, however, almost everyone fails the test, and I believe poor design by Microsoft is to blame.

So here is the setup:

Our company has a domain name example.com and emails are formatted as [email protected], standard stuff so far.

The attacker (the guys who test) go ahead and register example.co for 5$ (dot co, not com) and they sign up for a month of Proton Mail premium at 6$. This subscription allows for custom domains, so they setup DNS, SPF, DKIM, and all the other goodies to make the addresses as legit as possible.

Next up they make a fake email [email protected] and prep a phishing message, some dumb PDF looking image linking to URL shortener with the idea of users thinking “oh, the CEO is sending us a Holiday greeting in a PDF, I’m going to click it”, but instead of a Holiday card they get a drive-by download.

The trouble is, Outlook (web version, desktop, Android, and maybe others) is trying to be helpful and it treats the two addresses as the same contact by default. The fake address [email protected] is auto merged with the legit CEOs address [email protected].

On mobile it is literally identical to the real thing unless you go 3 levels deep to check out the contact itself, and even then, it is very convincing as Outlook just assumes that the fake email belongs to the real CEO. It is a clustefuck, I know - see the screenshot.

We concluded that Outlook is literally facilitating spear phishing by auto spoofing similar looking addresses. We reported this behavior to Outlook team and trough Microsoft vulnerability thingy, and received the “you can go fuck yourself, here is a link to learn how not to get phished” answer.

Are we the crazy people here?

17 Likes

holy
fucking
shit

6 Likes

You got microshafted.

If they still ignore you, consider creating a nice easy to read article that can be passed around to tech websites for some bad publicity.

17 Likes

LMAO
M$

4 Likes

I can’t really show examples because it’s my work email, but I believe Outlook automatically combines any address with the same “name”.

E.g. I have a contact “Accounting” ([email protected]) and another contact “accounting” ([email protected]) and Outlook will clump them together when I sort my emails. It also clumps together my personal email and work email because they are both “w.meri” even though they have drastically different email addresses.

7 Likes

That is beyond a stupid design choice.

If Microsoft don’t see the problem with what they have done they are in the wrong here and need to be shamed into fixing it as they are clearly at “Clown Shoes” levels of help and realisation.

4 Likes

Oh, fuck! Someone nominate Microsoft for some sort of design award ASAP!

3 Likes

It’s pretty dumb.

Like my work email follows the standard “[email protected]”, but my personal is basically “[email protected]”. Outlook seems to combine them because the “name” for both is simply my first and last name.

This is what you should’ve said to Microsoft when they linked you the “how to not get phished”.

Pure insanity that the app would not check the domain or ask you if you wanted to merge the two accounts!

3 Likes

Thinking on it:

If I were a malicious and motivated person, I would do some research and see if the help team use Outlook too and then set about unleashing their creation on them.

Better still if they have a bug bounty, exploit them thoroughly, bonus points for targeting the person the linked the phishing read up, and then write it all up and send it back to them.

Then publish that write up about how insanely stupid their systems and ideas about how they should function are.

2 Likes

Sounds like a hacker one bounty to me , if it gets enough publicity.

There is a thing to warn you about “external sender” you can turn on but holy crap

6 Likes

If you were a theoretically malicious and motivated person, then you might also theoretically enjoy this fun new vulnerability.

2 Likes

I ran into that half a year or so ago. I thought I was going insane.

I thought that meme died _2deda4feabc3569c0716fb044009a75d|nullxnull

2 Likes

At some point, there will be a write up, give it time.

3 Likes

Any update?

I have the luxury to not use them for my mail.

Does it still happen? Anyone got any contact?

Yep still same, I asked to send me another email from [email protected] to try it out just now.

Merged with my conversation from earlier today and yesterday.

Nothing from Microsoft, other than “up yours buddy” email response we got.

1 Like

So public it is, smear that excrement all over public places where technical and security people read, that is a really stupid way to manage email.

I don’t really have any weight to throw around but absolutely, we should try and do something.
I’ve just sent an email to Brian Krebs, hopefully he doesn’t ignore it.

Maybe @wendell can get Dr. Tetris at Anand Tech interesed enough. It’s super easy to reproduce and super exploitable for targeted phishing.

Maybe it will get some traction like that. Or we wait until someone at Solar Winds gets owned.

1 Like

Hmm, since this is such an easy exploit, maybe you want to send some famous emails from people like [email protected] , [email protected] , [email protected] etc?

I wonder what would happen if you sent Satya Nadella two emails from Gates and Ballmer… :slight_smile:

you would go to jail because the law is so bad that could be considered hacking.

1 Like