In Outlook desktop and web app , "display name" of email's "From" header can be manipulated

https://gitlab.com/email_bug/outlook_email_auth_bypass

Outlook Desktop

Description

Two bugs in outlook makes it possible for the attacker to make the email to appear to be coming from an arbitrary email address or even no email (which in outlook signifies that it is from the same organization):

display name and from email are in same visual element , there is no isolation between them, thus an authenticated piece of information(from email) can be manipulated by an arbitrary attacker controlled string (display name)

Instead of letting user know that "display name"+"from email" is very long in some way it is quietly truncated.

Thus Attacker can simply push the "from email" out of the screen.

This is as severe as a browser bug that lets websites choose what they want to show in address bar.

Outlook web

Description

The following bug in outlook makes it possible for the attacker to make the email to appear to be coming from an arbitrary email address or even no email (which in outlook signifies that it is from the same organization):

display name and from email are in same visual element , there is no isolation between them, thus an authenticated piece of information(from email) can be manipulated by an arbitrary attacker controlled string (display name)

Exploiting this bug needs us to be a bit creative as we can't force outlook to not display the real from address like we did in outlook desktop.