Security researcher Bryan Appleby from F5 Networks released proof-of-concept for the Outlook vulnerability that he reported to Microsoft almost six months ago. The vulnerability resided in the way email server parses HTML entities in the email messages. Appleby found that executing JavaScript code inside an iframe can allow the attacker to read app-related content in the context of logged-in Outlook user, including cookies, tokens and even some contents of their email inbox. Microsoft patched the vulnerability and released a fix just 2 days agothat’s almost 6 months after the initial disclosure.
Source: https://thehackernews.com/2019/06/microsoft-outlook-vulnerability.html