Hackread reports that Microsoft Bookings has been impacted by a new vulnerability, which could be leveraged to facilitate spoofing attacks, illicit TLS certificate purchases, and domain name transfers, as well as account takeovers.
Such an issue stems from Microsoft Bookings enabling the creation of Shared Booking Pages by default for users with proper Microsoft 365 licenses and automated Booking Page name-based email address generation, which could be exploited to create legitimate-looking email addresses for malicious activity, according to a report from Cyberis. Aside from enabling covert account hijacking through the recycling of former employee email addresses and verification of SSL certificate domain ownership, threat actors could also easily launch phishing attacks with seemingly legitimate messages, profile pictures, and signatures to exfiltrate sensitive data without being detected, noted Cyberis Director Geoff Jones. Organizations have been urged to determine concealed mailboxes, track and review incoming accounts and permissions, limit booking access, and strengthen email address security, as well as bolster security configurations to avoid such exploitation.
