400 million Outlook users at risk from security bug — what you need to know

News
By published

Newly discovered email spoofing bug lets bad actors impersonate Microsoft corporate accounts

Outlook
(Image credit: Shutterstock)

A security researcher has uncovered a bug in Outlook that could allow anyone to impersonate Microsoft corporate email accounts, giving phishing attempts an air of legitimacy to trick unsuspecting targets. An urgent warning has been issued to Outlook's roughly 400 million users as the vulnerability remains unpatched.  

Vsevolod Kokorin, a security researcher at SolidLab, first sounded the alarm about this email spoofing bug in a post on  X (formerly Twitter) last week. He said he disclosed the issue to Microsoft, only for the company to dismiss his report after saying it couldn't reproduce his findings. Frustrated, Kokorin took to X to warn others while rightly refusing to provide the technical details needed to exploit the vulnerability.   

As demonstrated in screenshots he shared, the bug lets anyone impersonate an official Microsoft corporate account when sending an email to another Outlook user. In an update, he said that Microsoft has acknowledged the issue, though a timeline for when it'll be patched remains unclear. He also told TechCrunch that Microsoft may have come across his tweet, as it has since reopened one of the reports he submitted several months ago. We've reached out to Microsoft for comment and will update this story once we hear back. 

How to protect yourself from new Outlook spoofing bug

Given that bad actors only need to email another Outlook account to exploit this bug, all 400 million Outlook users are at risk of phishing attempts from otherwise legitimate look Microsoft corporate accounts. While we don't know yet when it'll be patched, if you're an Outlook user, there are some precautions you can take in the meantime to stay safe. 

Unfortunately, it mostly boils down to the age-old advice of staying vigilant. It's highly recommended that you stay alert to any messages you receive that appear to be from Microsoft. Kokorin has advised all Outlook users to be weary when opening new emails and to avoid clicking on strange links. Consider signing up for one of the best antivirus software solutions as well, many of which give you access to a VPN, password manager and other extras to help you stay safe online.

More from Tom's Guide

See more Computing News
TOPICS
Alyse Stanley
Alyse Stanley
News Editor

Alyse Stanley is a news editor at Tom’s Guide overseeing weekend coverage and writing about the latest in tech, gaming, and entertainment.Prior to joining Tom’s Guide, Alyse worked as an editor for the Washington Post’s sunsetted video game section, Launcher. She previously led Gizmodo’s weekend news desk and has written game reviews and features for outlets like Polygon, Unwinnable, and Rock, Paper, Shotgun. She’s a big fan of horror movies, cartoons, and roller skating.

Read more
A person using a laptop with a warning message appearing on screen
Millions of email users at risk — passwords could be exposed to hackers, experts warn
A hacker typing quickly on a keyboard
Hackers can steal your accounts, and all it takes is a double-click — don’t fall for this new form of clickjacking
Hooded cybercriminal sitting with laptop surround by hooks
New report details the brands that scammers like to impersonate most — and you'll definitely guess who's at the top
A person typing on a computer while hackers use phishing to steal a file from their computer
Phishing: What is it, and how to avoid it
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
Latest in Online Security
A picture of a skull and bones on a smartphone depicting malware
Hundreds of malicious Android apps with 60 million downloads found spamming Android users with ads and stealing credentials
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
iPhone 15 Pro Max shown in hand
5 iPhone settings you should always shut off — because they’re a security nightmare
A woman using her laptop securely with a cup of coffee in hand
5 common mistakes people make when shopping for antivirus software
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Wednesday, March 19 (#647)
Chromecast with Google TV connected to display
Google finally pushes out full Chromecast fix for users who factory reset — here’s what to do
A picture of a skull and bones on a smartphone depicting malware
Hundreds of malicious Android apps with 60 million downloads found spamming Android users with ads and stealing credentials
Switch 2 console and logo
Nintendo Switch 2 rumor just tipped possible release date — and it's much sooner than we thought
Hacker typing on laptop in darkened room
Hackers create "BRUTED" tool to attack VPNs – how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
More about online security
A picture of a skull and bones on a smartphone depicting malware

Hundreds of malicious Android apps with 60 million downloads found spamming Android users with ads and stealing credentials
Malware

Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
March Madness games on YouTube TV using multiview

This is how I've streamed March Madness for the past 2 years — and it's the only way to watch every second of all 67 games
See more latest
Most Popular
Prime Video logo appears on a tablet surrounded by a can of soda, spilled popcorn, headphones and a cactus
5 best Prime Video movies to stream before they leave this month
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #381 (Wednesday, March 19 2025)
NYTimes Connections
NYT Connections today hints and answers — Wednesday, March 19 (#647)
Chromecast with Google TV connected to display
Google finally pushes out full Chromecast fix for users who factory reset — here’s what to do
Switch 2 console and logo
Nintendo Switch 2 rumor just tipped possible release date — and it's much sooner than we thought
A picture of a skull and bones on a smartphone depicting malware
Hundreds of malicious Android apps with 60 million downloads found spamming Android users with ads and stealing credentials
Twisters movie (2024)
Prime Video just added this action-packed thriller with Glen Powell — stream 'Twisters' now
A March Madness 2025 basketball on a chair at University of Dayton Arena
March Madness LIVE: watch and stream NCAA basketball, odds as First Four gets underway
(L-R) Mark Eydelshteyn as Vanya and Mikey Madison as Anora "Ani" Mikheeva in "Anora"
Hulu top 10 movies — here's the 3 you need to stream right now
NordProtect logo on black background
NordVPN's NordProtect cyber insurance goes solo – and adds a key new feature