Outlook: Account descriptions

🚨 The Signal: New Outlook allows custom account descriptions. While seemingly minor, this could aid phishing by making malicious accounts appear more legitimate if not properly managed, increasing user susceptibility to social engineering.

The Impact

End users are affected, with a low security risk related to potential social engineering if custom labels are misused.

• End users: May be more susceptible to phishing if custom labels are used to impersonate legitimate accounts.
• Security teams: Increased need for user education on verifying sender identity beyond display names/labels.
• Help desk: Potential for increased support requests related to account confusion or phishing attempts leveraging custom labels.

The Action

1. Educate users on verifying sender email addresses, not just display names or custom account descriptions.
2. Reinforce existing security awareness training regarding social engineering tactics.
3. Monitor for any increase in phishing attempts leveraging custom account descriptions.

Domain: M365-Apps · Impact: low · Workload: M365 Apps