Hi Jianjun :-)
I have tested encoding an extra From address in base64 as shown in Fig 8b of your paper. I have sent the mail to an address whose MX are on M365. Outlook Web always displays the base64 encoded version,

Otherly said, it doesn't decode the extra From address before displaying it.

Here is the syntax I used : bs64(support@facebook.com), test@contact-direct.fr

I tried both base64 and MIME/base64 encoding, none was displayed as decoded.

Does it still work for you or has it been fixed by Microsoft?

Congrats again for your work and the quality of your paper.
Christophe DARY

Hi Christophe,

Does it still work for you or has it been fixed by Microsoft?

Two years ago I recorded a video to demonstrate this on Outlook.com and reported it to Microsoft. They disregarded our report because they said these attacks rely on social engineering, which they view as outside the scope of security vulnerabilities.

I'm not sure if it still works now, but it's sad if they fixed it silently without acknowledging us.

Congrats again for your work and the quality of your paper.

Thanks for your recognition.

The base64 encoded From: you used is not visible in your video unfortunately. I don't think that Microsoft took care and time enough to read your paper. Their answer is totally outside the scope indeed.

I have also tested with Yahoo!, the result is the same. It seems to have been fixed.

Can you test it again, to be sure that it is now fixed or not?