Note - This article was written by a human, without using AI ;)

This research is about an advanced email spoofing technique used by some threat actors. It is based on a strange UI behavior in Microsoft Outlook mobile apps. This is not about the usual email spoofing that relies on missing DMARC or SPF records of the target domain.

The issue is related to how Outlook’s user interface displays email sender information, allowing an attacker to make a malicious email appear as if it came from a legitimate source, without raising any red flags.

So what exactly is this vulnerability type? I believe this issue is a classic example of , CWE-451: User Interface (UI) Misrepresentation of Critical Information.

How does it work?

Let's explore how an attacker will use this technique to impersonate any email, for this example I will demonstrate a Microsoft email as impersonating email.

1. Craft the phishing email and send it to the victim.

2. BUT while sending it, he will keep the impersonating email (microsoft email in our case) in 'TO' field, and victim's email will be in 'BCC' field.

3. Victim is using Outlook for mobile, so he/she will only see sender's Display name and 'TO' email ([email protected]) right below the display name.

Proof of Concept

For the proof of concept, I needed to change my display name from 'Ashutosh Barot' to something convincing, like 'Microsoft Admin' or 'Amazon IT'.

After changing my email's display name, I sent an email to another account (in 'BCC') which I had added in MS Outlook for Android. Sure enough, the email appeared as if it had been sent from Microsoft.

As shown in the screenshots below, the technique works flawlessly. No security warnings were triggered, and the victim would believe the email is from [email protected] , remember that receiver of this crafted email is in 'BCC'

While viewing the email, the user had to tap on the sender name for viewing accurate email sender info. Detailed information was visible as shown in the below screen.

ProtonMail Abuse Detection

I used protonmail for the PoC. After changing my Display name and sending the spoofed email, I was logged out of my ProtonMail account. When I tried to log back in, I saw the worst possible error message: "This account has been suspended."

Within minutes of changing my display name and sending the email (for poc), ProtonMail’s abuse detection system flagged my activity as suspicious (as they should have) and suspended my email. I was impressed by how fast they reacted; Some serious monitoring!

I used the appeal option to explain that I was a security researcher researching on email security, and requested to re-evaluate their decision. They could notice that I added example[.]com and attacker-website[.]com in my test emails. I also mentioned that I reported valid security issues to ProtonMail as well. Despite my explanation, ProtonMail rejected my appeal, and the account remains suspended. :(

Be careful if you are using ProtonMail for email security research. Their detection and response systems are incredibly effective, and you might not have an account to even document your findings. The appeal option is also not helpful.

After 2 years, Microsoft Fixed it!

I reported this issue on 18 Oct 2022, Microsoft rejected the report [VULN-079224] as a security issue and closed it. I checked recently and noticed that Microsoft has now fixed this issue. So, please make sure you are using latest version of Outlook mobile apps.

This is how the email looks as shown below in Outlook’s latest version after the fix. Now it is writing 'TO' in front of 'TO' email.

Kindly share the article with others, so they can update their Outlook mobile apps,
and feel free to read my other writeups on this blog