Vulnerability Management, Application security

Impersonation attacks possible with novel Microsoft Bookings bug

A Microsoft logo is displayed on a smartphone on top of a laptop keyboard.

Hackread reports that Microsoft Bookings has been impacted by a new vulnerability, which could be leveraged to facilitate spoofing attacks, illicit TLS certificate purchases, and domain name transfers, as well as account takeovers.

Such an issue stems from Microsoft Bookings enabling the creation of Shared Booking Pages by default for users with proper Microsoft 365 licenses and automated Booking Page name-based email address generation, which could be exploited to create legitimate-looking email addresses for malicious activity, according to a report from Cyberis. Aside from enabling covert account hijacking through the recycling of former employee email addresses and verification of SSL certificate domain ownership, threat actors could also easily launch phishing attacks with seemingly legitimate messages, profile pictures, and signatures to exfiltrate sensitive data without being detected, noted Cyberis Director Geoff Jones. Organizations have been urged to determine concealed mailboxes, track and review incoming accounts and permissions, limit booking access, and strengthen email address security, as well as bolster security configurations to avoid such exploitation.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds