Microsoft Bookings – Facilitating Impersonation

less than 1 minute read

TL;DR if Booking Pages are enabled (the default, of course) users can create a mailbox for any alias they want on your tenant without admin consent. This is WILD.

Special aliases are used for verification purposes all of the time. Here’s an example from HaveIBeenPwned:

HaveIBeenPwned domain-level verification

Thank you Rolf Schwimmbeck for pointing me to it.

Direct Link

Share on

X Facebook LinkedIn Bluesky

Fully-Autonomous AI Systems Are Discovering Vulns Today

2 minute read

This is part 2 on OpenAI’s Security Research Conference. Here is part 1.

The Vibe at OpenAI’s Inaugural Security Research Conf

2 minute read

The conversation around AI is always about vibes. So let’s talk about the vibes at OpenAI’s inaugural Security Research Conference last week.

There Is Nothing Responsible About Disclosure Of Every Successful Prompt Injection

2 minute read

The InfoSec community is strongest when it can collaborate openly. Few organizations can fend off sophisticated attacks alone—and even they sometimes fail. I...

AIjacking Goes Beyond Prompt Injection

3 minute read

Naming is powerful. An excellent name does more than frame the problem, it hints at ownership, solutions, and urgency to address it. In a very real sense, t...

Michael Bargury

Share on

You May Also Enjoy

Fully-Autonomous AI Systems Are Discovering Vulns Today

The Vibe at OpenAI’s Inaugural Security Research Conf

There Is Nothing Responsible About Disclosure Of Every Successful Prompt Injection

AIjacking Goes Beyond Prompt Injection