Microsoft Bookings, a popular feature in Microsoft 365, has been identified as a potential security threat to companies. According to Cyberis, users are able to create accounts in Entra without requiring administrative rights, which could lead to various malicious activities by attackers. These include creating fake records disguised as real employees to carry out internal phishing attacks or manipulate external partners.
If an attacker gains access to an employee’s account within Microsoft 365, they can leverage the ability to create common reservation pages to impersonate key individuals within the company, such as a CEO or financial manager. This deception could be used to deceive employees and orchestrate fraudulent fund transfers.
/Reports, release notes, official announcements.