Oh no! Microsoft. Again

Science, Engineering, & Tech Security
,
1

TLDR:

Sending email using msmtp via Microsoft 365 I was able to authenticate using [email protected] and send email as [email protected] without issues or triggering any security mechanisms.

So I think I Microsoft f#cked up, again.
I ranted about Outlook before, check it out if you are curious: Am I the crazy one here or is this terrible design?

At work my team got permission to use [email protected] to send notifications from our server we run independently, meaning company IT did an audit and said it’s fine you can use this email for notifications.

I went ahead and installed msmtp on our dev server to try and use Microsoft 365 SMTP to send emails instead potentially triggering spam filters if we just use sendmail or whatever.

I’ve created .msmtprc config:

account default
host smtp.office365.com
port 587
auth on
user [email protected]
password app_password
from [email protected]
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt

Created an alias:
echo "alias sendmail='msmtp -t'" >> ~/.bashrc

And tried sending a test email:
echo "Test email" | sendmail -v [email protected]

It started spewing out a bunch of lines about communication with mail.protection.outlook.com and I immediately went “ow crap, I didn’t specify from address”.
Well it did not matter, it happily accepted and delivered the email from [email protected]

>>> MAIL From:<[email protected]> SIZE=11 [email protected]
250 2.1.0 <[email protected]>... Sender ok

Outlook had no idea email came from inside the organization, it was guessing it might be from a bunch of companies and people named Root on LinkedIn. Basically spoofing the email worked just fine.

I want to try [email protected] in from field and see what happens but IT told me to leave it alone. I want to try a different domain that is not a subdomain of our company. Do we have some Microsoft365 admins in the crowd, can someone try? If it works, technically any user can impersonate any other user and you can get a bounty for reporting it maybe?

6 Likes
2

it could also get you fired as your hacking on your company’s system after the it dep told you to stop.
you gotta have permissions mate. or your breaking the law.
and thats not overstating it at all.

you reported your findings to the it dept. they will handle it from there if they are competent… if they aint then your company will get hacked.
as for a bug bounty. you could ask the company if they have one and if they dont, start one.

oh and if it was just the company’s hired help it guy not inhouse… then speak to your boss’s boss/soc. they may not know and the it guy might be being lazy and doesn’t want the hassle of mitigating it.

3 Likes
3

It’s Microsoft 365 mail, so if there is someone who administers it and can try to reliably reproduce this maybe you can get bounty from Microsoft, but I wouldn’t hold my breath.

I’m not doing it, don’t have permission.

2 Likes
4

oh i thought you meant bug bounty for your company…
in that case yeah microsoft have bug bounty’s and they do pay out, handsomely in some cases.

so in your case you already did the work of finding it. so write up a short report and submit it. :slight_smile:
you never know it might be something they have missed.

2 Likes
5

I did it for Outlook (linked above) and got back a link to an article explaining how not to get phished.

2 Likes
6

set up your own play tenant and test in that?