A critical vulnerability in Microsoft Bookings exposed organizations to potential phishing attacks and data manipulation due to inadequate input validation.
The flaw, now mostly resolved by Microsoft, allowed attackers to inject arbitrary HTML into meeting invitations, alter calendar entries, and launch sophisticated phishing schemes. This issue originated from insufficient sanitization of user input in the Microsoft Bookings API.
Key fields such as appointment.serviceNotes, appointment.additionalNotes, and appointment.body.content did not properly validate user-supplied data, making them vulnerable to HTML injection.
This vulnerability affected organizations using Microsoft Bookings within their Microsoft 365 environment for appointment scheduling.
Exploiting the Reschedule Feature
According to reports from ERNW, attackers could exploit the “Reschedule” feature to inject HTML and malicious links. When users received a booking confirmation with a rescheduling link, the system preserved and re-sent the original unsanitized HTML through a PUT request.
The security risks included:
- Email and Calendar Manipulation: Attackers could change event descriptions or URLs, misleading recipients.
- Phishing Opportunities: Injected HTML enabled realistic phishing links hosted within legitimate Microsoft domains.
- Data Tampering: Details such as appointment times and participants could be altered.
- Denial of Service: By manipulating duration settings, attackers could extend appointments and block new bookings.
- Hidden Mailboxes: Related flaws allowed the creation of hidden mailboxes beyond the reach of standard admin controls.
Response and Recommendations
Microsoft was first notified of the issue in December 2024, and most of the vulnerability was addressed by February 2025. However, some parameters such as additionalRecipients, startTime, and endTime were still not fully validated.
Security professionals recommend implementing strict input validation practices across all web applications, in line with CWE-20 guidelines.
For Microsoft Bookings specifically, administrators should apply Microsoft's March 2025 security recommendations. These include limiting access to booking pages and enforcing standardized naming policies.
Organizations should confirm their systems are up to date with the latest patches and monitor for any suspicious activity involving bookings.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
