Microsoft Outlook shows full contact details of spoofed senders

Cybersecurity research firm Avanan has highlighted an omission in Outlook that it says makes the product vulnerable to phishing techniques.

In a blog post published today, the Check Point-owned company said the Microsoft email client will show many details about spoofed email senders without first authenticating the email.

An attacker can send a spoofed email to the target, claiming to be from someone in the organization. The organization’s Outlook client then searches for the spoofed sender’s details in the company’s Active Directory instance, filling in additional details for their identity.

These details include photos, files shared between users, legitimate email addresses and phone numbers. They can also see all of their previous communications with the spoofed colleague, creating a compelling list in the victim’s Outlook client that lends greater credibility to the spoofed email.

The attack can be used for typical phishing purposes, including harvesting credentials.

According to Avanan researchers, Outlook does not authenticate emails using technologies such as Sender Policy Framework (SPF) or DomainKeys Identifed Mail (DKIM). Instead, it leaves that to security tools that scan emails before they reach a user’s inbox.

SPF is a record listing the IP addresses authorized to send emails from a domain, while a DKIM verification allows the sender of an email to sign it with a private key that the recipient software can then check.

To take advantage of this technique, the attacker must first successfully impersonate the target organization’s domain in a way that passes anti-phishing scanners (assuming they have them).

“Spoofing is also made easier because Microsoft does not require any verification before updating a user’s image on an email,” the Avanan researchers said. “It will display all of a user’s contact data, even if that user has an SPF failure.”

Microsoft users have asked about DKIM and SPF checks in Outlook on the Microsoft Technical Forum for Outlook Desktop, but with little success.

To address these issues, Avanan recommends organizations use layered security to scan email before the inbox, looking for malicious files and links. They should also check a domain’s reputation and run an SPF and DKIM check.

The DMARC (Domain-based Message Authentication, Reporting & Conformance) policy, based on SPF and DKIM, helps here. It is tied to the From: domain and supports recipient authentication failure management policies and sender reporting. Avanan also recommends that administrators protect all applications that interact with Active Directory.

In September, another researcher noted that Outlook would show a person’s real contact information even if a phishing email used a homograph-based domain that looked like a legitimate domain.