A critical vulnerability in Microsoft Bookings has been discovered, posing significant security risks to organizations using Microsoft 365 services. The flaw, inherent in the default configuration of the “Shared Booking Pages” feature, allows attackers to create unauthorized Entra (formerly Azure AD) accounts and impersonate legitimate users. This can lead to serious security breaches, as attackers can gain unauthorized access to systems and potentially conduct sophisticated phishing campaigns or access sensitive company data.
The vulnerability stems from the fact that when a user creates a shared Booking page, it automatically generates a fully functional account in Entra without requiring administrative privileges. Attackers who have compromised a Microsoft 365 user account can exploit this flaw to create accounts that mimic legitimate employees, bypassing impersonation filters and gaining access to email addresses that may belong to former employees. This could allow attackers to reset passwords for external services, verify domain ownership for SSL certificates, and create hidden, fully functional mailboxes that do not consume Microsoft 365 licenses.
The impact of this vulnerability extends to the potential for attackers to impersonate high-profile individuals within an organization, allowing them to conduct advanced phishing attacks and potentially gain control over critical systems. The created accounts can send and receive emails regardless of sharing settings, enabling attackers to intercept sensitive communications and reset online services linked to compromised email addresses. This makes the flaw particularly dangerous as it can lead to significant data loss, system compromise, and financial fraud.
To mitigate the risks associated with this vulnerability, security experts recommend organizations take several proactive steps. These include auditing existing Shared Booking Pages using ExchangeOnline PowerShell, disabling the ability for end users to create shared Booking pages unless necessary, and monitoring Entra accounts for unusual creation activities. Additionally, businesses should regularly review and revoke unnecessary mailbox permissions and disable the Bookings feature if it is not in use. As the cybersecurity landscape continues to evolve, organizations must be vigilant in securing their Microsoft 365 environments and take immediate action to protect against potential exploitation of this flaw.
