NEW: An unpatched bug allows anyone to spoof any Microsoft corporate email address, giving malicious hackers a better chance to send credible and harder to spot phishing emails.
Researcher demonstrated to us the bug, sending an email that looked like it was from Microsoft's account security team. The bug only works if target uses an Outlook account.