msrc disc. (outlook exploit)

scheduled to be released oct 30th 2025.

i cannot reveal much right now but here’s a good (very broad) summary:

improper normalization and validation of an email address field in a request when creating an outlook group allowed any actor with an outlook account to claim any reserved address (such as privileged domain contact addresses that can be actioned to do takeovers) such as webmaster@outlook.com, and accompanied with further methods to trick the validator, other existing inboxes from regular accounts. in summary, this vulnerability allows an attacker to take over any user’s inbox.