IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft Outlook displays full contact details for spoofed senders

Product harvests details from Active Directory without checking, say researchers

Cyber security research company Avanan has highlighted an omission in Outlook that it says renders the product vulnerable to phishing techniques.

In a blog post published today, the Check Point-owned company said that the Microsoft email client would display extensive details about spoofed email senders without authenticating the email first.

An attacker can send a spoofed email to the target, pretending to be from someone in the organization. The organization's Outlook client then looks up the spoofed sender's details in the company's Active Directory instance, filling in extra details for their identity.

Those details include photos, files shared between users, legitimate email addresses, and phone numbers. They can also see all of their previous communications with the spoofed colleague, creating a convincing listing in the victim's Outlook client that gives the spoofed email greater credibility.

The attack can be used for typical phishing purposes including credential harvesting.

According to Avanan's researchers, Outlook does not authenticate emails using technologies like the Sender Policy Framework (SPF) or DomainKeys Identifed Mail (DKIM). Instead, it leaves this to security tools that analyze emails before they reach a user's inbox.

Related Resource

Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures

White square with whitepaper title on top of a background image of a building and pavementFree download

SPF is a record listing IP addresses that are authorized to send emails from a domain, while a DKIM check allows an email's sender to sign it with a private key that the receiving software can then check.

To take advantage of this technique, the hacker must first successfully spoof the target organization's domain in a way that gets past anti-phishing scanners (assuming they have them).

"Spoofing is also made easier because Microsoft does not require verification before updating the user image on an email," Avanan's researchers said. "It will display all contact data for a user, even if that user has an SPF fail."

Microsoft users have asked about DKIM and SPF checks in Outlook on Microsoft's technical forum for Outlook Desktop, but with little success.

To resolve these issues, Avanan recommends that organizations use layered security to analyze mails before the inbox, checking for malicious files and links. They should also check a domain's reputation and run an SPF and DKIM check.

The Domain-based Message Authentication, Reporting & Conformance (DMARC) policy, built on SPF and DKIM, helps here. It links to the From: domain, and supports policies for recipient handling of authentication failures, along with reporting to senders. Avanan also recommends that admins protect any applications interacting with Active Directory.

In September, another researcher noted that Outlook would display a person's real contact details even if a phishing email used a homograph-based domain that looked similar to a legitimate one.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022
Microsoft silent patches called “a grossly irresponsible policy”
cyber security

Microsoft silent patches called “a grossly irresponsible policy”

15 Jun 2022

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022