Microsoft has patched a zero-day flaw in its Hotmail email service which hackers were using to steal emails and details of the victims' contacts, according to researchers at security firm Trend Micro.
In a Monday blog post, threat response engineer Karl Dominguez explained that the victim needs only to open the specially crafted message for it to execute an embedded script.
The URL to which the script connects varies according to the Hotmail user's ID and a pre-defined number, indicating that the attacks are highly targeted, Dominguez said.
The URL then leads to another script which triggers a request which is sent to the Hotmail server, forwarding all the victim's emails to the hacker's email address.
"The attack takes advantage of a script or a CSS filtering mechanism bug in Hotmail. Microsoft has already taken action and has updated Hotmail to fix the bug," said Dominguez.
"The malicious scripts and the URL related to this attack are already being detected and blocked by the Trend Micro Smart Protection Network file and web reputation technologies."
Dominguez added that Trend Micro researchers found that Hotmail's filtering engine actually helps the cyber criminals in this attack.
It does so by working on the embedded script contained in the targeted malicious emails to convert the script into two separate lines for further rendering in the web browser's CSS engine.
"This allows the cyber criminals to turn the script into something that allows them to run arbitrary commands in the current Hotmail log-in session," he explained.
Rik Ferguson, Trend Micro director of security research, arged that the incident proves cyber criminals are looking to get a better return on their investment.
"The active exploits of these vulnerabilities demonstrate that criminals no longer solely rely on attacking individual users and computers," he added.
"The best advice for Hotmail users would be to not open unexpected emails from senders they aren't familiar with, not just in this case but as a matter of best practice."
Mark Zuckerberg mercilessly trolled by Harvard student newspaper after return to university he dropped out of 12 years ago
'Unauthorised user' blamed by Harvard for insulting Mark Zoinkerberg
Android under attack from 'Judy', Google Play Store malware that has infected up to 36.5 million users
Yet more Android malware discovered on the Google Play Store
Airport believes new system will be more reliable than GPS or Google Maps
OnePlus 3T canned to make way for imminent OnePlus 5 with Snapdragon 835, 8GB memory and dual camera
OnePlus 3T to be prematurely retired on 1 June - perhaps indicating plans for an imminent OnePlus 5 launch