How I Discovered a $3000 Microsoft Outlook Security Vulnerability

Hey everyone! I’m Swaraj Singh, and today, I’m sharing my experience of uncovering a critical security vulnerability in Microsoft Outlook. This discovery ultimately led to a $3000 bounty from the Microsoft Security Response Center (MSRC).

The Discovery

Many organizations implement restrictions that prevent users from downloading attachments on unauthorized devices like personal laptops or mobile phones. These restrictions are designed to protect sensitive data, ensuring that attachments are only downloaded on approved, secure devices.

However, while testing Outlook’s attachment preview feature, I discovered that by manipulating the URL after previewing an attachment, I could bypass these restrictions and download attachments directly on unauthorized devices.

Proof of Concept (PoC)

Here’s the step-by-step breakdown of how this vulnerability could be exploited:

1. Login to Outlook and open an email containing an attachment.
2. Click Preview to view the attachment in your browser.
3. Copy the part of the URL after /sxs/.
4. Use this modified URL structure:

https://outlook.office.com/owa/X/service.svc/s/GetAttachmentDownloadToken?redirect=%2fowa%2fX%2fservice.svc%2fs%2fGetAttachmentThumbnail%3fid%3dY

Replace X with your email address.

Replace Y with the copied value from step 3.

5. Paste this updated URL into your browser, and the attachment will download successfully, bypassing the usual restrictions.

Reporting to Microsoft

I reported this vulnerability to Microsoft’s Security Response Center on November 2, 2022. MSRC responded promptly, acknowledging the issue and proceeding with a fix. Here’s the timeline of events:

• January 7, 2023: The vulnerability was acknowledged, and the status changed to Develop.
• February 22, 2023: The issue was moved to Pre-Release, as Microsoft prepared a patch.
• March 4, 2023: The patch was marked Complete, and I received a $3000 bounty for the discovery.

Happy Me

Why This Vulnerability Was Significant

This vulnerability allowed users to bypass security restrictions that were meant to prevent the downloading of attachments on unauthorized devices. In environments where Outlook is used to handle sensitive or confidential documents, this could have led to unauthorized access to important files.

Lessons Learned

1. Small Details Can Have Big Consequences: What seems like a minor flaw can lead to serious vulnerabilities.
2. Responsible Disclosure Pays Off: If you find a security vulnerability, reporting it to the company can not only improve their security but also reward your efforts.
3. Security Gaps Exist Everywhere: Simple things like URL manipulation can sometimes expose critical gaps in a system’s security.

Where to find me →
Twitter: https://x.com/singhswaraj_
Linkedin: https://www.linkedin.com/in/singhswaraj/

Thank you for reading my blog and Happy Hacking :)