Share via

How to report a security vulnerability to Microsoft ?

Shubhansh Singh 10 Reputation points
2023-11-15T08:47:04.3+00:00

I have observed a security vulnerability in my Microsoft 365 Tenant.

Scenario: Message recall behavior.

Incident: An external sender tried recalling a message, the mail was originally sent to a DL of 50 members.

As expected message recall was a fail, but it triggered message recall failure mail from every member of the DL to the recaller. This exposed our tenant's all prime member email addresses to the external user.

We tried reaching Microsoft 365 premium technical support and they responded.

  1. Issue is irreproducible.
  2. It was an isolated incident.
  3. They can't reach RCA team since we have licenses via partners sellers.
  4. We are under break fix contract.
  5. Case is still active with no responses,

My concerns are:

  1. Who can assure that this vulnerability won't be exploited by un-ethical people in future.
  2. Who shall I report this vulnerability to at least receive acknowledgment from Microsoft.

3 Who shall I reach out to get RCA/remediation/preventive action consultations.

  1. Post that incident our users are also receiving lot of backscattering NDRs as well.

5 This clearly show how significant it is to safeguard prime users' identity.

Can anyone suggest or help in engaging right support/RCA/or any other department of Microsoft to engage.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,916 questions
Microsoft Exchange Online

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 96,516 Reputation points MVP
    2023-11-16T08:17:03.6666667+00:00

    So, this has been confirmed as "known issue" with the legacy Outlook message recall feature. I cannot share any ETA or additional details as to a potential fix, but it's on the radar.

    Exchange Online customers should already be protected from this, thanks to the new "cloud-based" message recall feature: https://techcommunity.microsoft.com/t5/exchange-team-blog/cloud-based-message-recall-in-exchange-online/ba-p/3744714

    Going forward, the new Outlook client and its webmail counterpart will only support the new message recall, thus negating the issue. For on-premises customers, a potential fix should be released, as mentioned above.

  2. Shubhansh Singh 10 Reputation points
    2024-05-08T11:04:45.4733333+00:00

    Hi all, Exact answer to my request would be as below.

    Microsoft Security Response Center is the best place to submit such responses.

    Although, I believe it's too late for me to update them.

    https://msrc.microsoft.com/

    0 comments