Overview

Recently I noticed that I was able to see user presence for people outside of my organization while composing emails in Microsoft Outlook. User presence indicates the user’s current status, like available, away, in a meeting, out of office, etc., typically driven by a user’s calendar entries.

My company’s domain is not federated or trusted in any way with these other organizations, so this information should not be flowing back and forth.

User Presence Example
Image 1: Example showing users’ presence leaking across domains.

In the image above, I was composing an email to people at three different organizations, none of which are federated or trusted by my company’s domain. As you can see, I am able to see that one user is available, three are away, and one is in a meeting. I’ve confirmed that they are also able to see my availability.

One interesting facet of this problem is that it appears only to happen when I’m using my non-domain joined MacBook Pro, signed in to Outlook and Teams using my corporate account. I cannot repeat this with my domain-joined PC.

Image 2: Composing an email to the same recipients on a domain-joined PC – user presence not showing.

What’s the risk?

Let me tell you a little something about business email compromise and wire fraud, which has resulted in $26 billion in losses since July 2016, according to the FBI (source). If I have targeted you, say the CFO of a Fortune 100 company, and am able to see your user presence without you having opted-in, I can wait until you are out of office to impersonate you to your accounting staff and attempt to get them to wire money, or perform a variety of other types of activities designed to defraud you.

Microsoft’s Reaction

I attempted to report the issue to Microsoft via their Microsoft Security Response Center (MSRC) portal – however a day later I received the following reply:

Personally I do think this enables an attacker to compromise the confidentiality of a Microsoft offering, but perhaps I was not convincing enough in my initial report – I will try again.

Repeatability

  • Non-domain joined Mac, sign into Outlook and Teams with your corporate Office 365 credentials
  • Compose email to users at other companies that are also using Office 365 and Teams
  • Voila, your privacy is now compromised

Published by N

Leave a comment