Microsoft Outlook shows full contact details of spoofed senders
Cybersecurity research firm Avanan has highlighted an omission in Outlook that it says makes the product vulnerable to phishing techniques.
In a blog post published today, the Check Point-owned company said the Microsoft email client will show many details about spoofed email senders without first authenticating the email.
An attacker can send a spoofed email to the target, claiming to be from someone in the organization. The organization’s Outlook client then searches for the spoofed sender’s details in the company’s Active Directory instance, filling in additional details for their identity.
These details include photos, files shared between users, legitimate email addresses and phone numbers. They can also see all of their previous communications with the spoofed colleague, creating a compelling list in the victim’s Outlook client that lends greater credibility to the spoofed email.
The attack can be used for typical phishing purposes, including harvesting credentials.
According to Avanan researchers, Outlook does not authenticate emails using technologies such as Sender Policy Framework (SPF) or DomainKeys Identifed Mail (DKIM). Instead, it leaves that to security tools that scan emails before they reach a user’s inbox.
Protecting every edge to make it harder for hackers to work, not yours
How to support and secure hybrid architectures
SPF is a record listing the IP addresses authorized to send emails from a domain, while a DKIM verification allows the sender of an email to sign it with a private key that the recipient software can then check.
To take advantage of this technique, the attacker must first successfully impersonate the target organization’s domain in a way that passes anti-phishing scanners (assuming they have them).
“Spoofing is also made easier because Microsoft does not require any verification before updating a user’s image on an email,” the Avanan researchers said. “It will display all of a user’s contact data, even if that user has an SPF failure.”
Microsoft users have asked about DKIM and SPF checks in Outlook on the Microsoft Technical Forum for Outlook Desktop, but with little success.
To address these issues, Avanan recommends organizations use layered security to scan email before the inbox, looking for malicious files and links. They should also check a domain’s reputation and run an SPF and DKIM check.
The DMARC (Domain-based Message Authentication, Reporting & Conformance) policy, based on SPF and DKIM, helps here. It is tied to the From: domain and supports recipient authentication failure management policies and sender reporting. Avanan also recommends that administrators protect all applications that interact with Active Directory.
In September, another researcher noted that Outlook would show a person’s real contact information even if a phishing email used a homograph-based domain that looked like a legitimate domain.
Building data-driven government with Microsoft Power Platform
How to break down data silos and harvest valuable data insights
Improve security and compliance
Take an effective approach to security and compliance risk management
Take the lead in IT automation
IT managers as evangelists of their automation strategies
The best defense against ransomware
How ransomware evolves and how to defend against it