A person could spam his friends with unwanted links to download the Outlook app. All he had to do was enter a phone number of his friends on a web page that allows users to receive the link to download the official Outlook app over SMS. Now, the web page is hosted on an official Microsoft Outlook website, which could make this whole spam situation a little murky.
It is easy to spam & flood someone’s Inbox with Microsoft spam!
Well, the idea here is to provide users with easy installation of the Outlook app on their phone. But like every coin has two sides, this too has its own disadvantages. Users can simply flood anyone’s inbox by repeatedly requesting the URL to download the Outlook app over SMS.
As mentioned by a cybersecurity firm Sophos, Luca Epifanio, who is an Italian security researcher, had the exact same thought.
“What if someone decides to put in someone else’s phone number and then spam them over and over and over again?”
Obviously, this will be frustrating for users at the receiving end of the spam cycle. But in addition to causing frustration among the victims, the whole spam situation would also portray Microsoft in a really bad light.
Additionally, researchers warn that if found guilty of intentionally spamming others, people triggering the spam may face trouble from law enforcement or the regulators.
Researchers found and confirmed that users don’t receive more than three messages from this technique. Although Microsoft still accepts further attempts, it stops texting users once they have received three messages.
But there’s more to the story…
Luca found out that it’s possible to send three more messages to victims by replaying the original web request with a non-alphabetic character at the end. Then, with another non-alphabetic character, he was able to send three additional messages.
As researchers explain, this is the result of numbers that were the same in practice but appeared different in theory, ultimately allowing the rate limit to be circumvented.
It will be interesting to hear what Microsoft has to comment on this discovery.
Meanwhile, you let us know in the comments if you have ever encountered a similar problem. Till then, safe browsing!