Threat Advisory: Office 365 Zero-Day Used in Real-World Phishing Campaigns

May 9, 2018

Security researchers have revealed that a zero-day vulnerability found in the SafeLinks feature of Microsoft Office 365 may allow hackers to send malicious emails that bypass security systems on Office 365 accounts.

SafeLinks is included in the Office 365 software as as part of Microsoft's Advanced Threat Protection (APT) solution, originally designed to protect users from malware and phishing attacks, by replacing all URLs in an incoming email with Microsoft-owned secure URLs. When a user clicks on any link, they are directed to a Microsoft-owned domain, where the original URL is checked thoroughly for anything suspicious. If malicious content is detected, the user is warned and if there is no malicious activity, the user is re-directed to the original URL destination.

Known as baseStriker, this zero-day flaw involves the use of the <base> tag, used to establish a base URL for all relative links, found in the <head> section of a web page. If a base URL is used, when a subsequent link is clicked, the browser merges the base URL and the relative link to direct the user to the URL destination. 

However, baseStriker takes advantage of the fact that security systems of Office 365 don't support base URLs. Therefore, hackers are able to bypass the SafeLinks security feature and redirect victims to the phishing site when clicked. Researchers compared the HTML code of a traditional phishing email, which would be blocked normally by SafeLinks, with one that exploits the baseStriker vulnerability, in which the link fails to identify and replace the partial hyperlink: 

Please consult the table below to see if your Office 365 system is affected by baseStriker. 

I am usingAm I vulnerable to baseStriker?
Office 365

Yes - you are vulnerable

Office 365 with ATP and Safelinks

 Yes - you are vulnerable

 Office 365 with Proofpoint and MTA

Yes - you are vulnerable

Office 365 with Mimecast MTA

No - you are safe

Gmail

No - you are safe

Gmail with Proofpoint MTAStill in testing and will be updated soon
 Gmail with Mimecast MTA

No - you are safe

Recommendations:

At this point, Herjavec Group recommends taking the following steps:

  • Since there are no patches against baseStriker currently available, monitor regularly and install patches as soon as possible upon availability from the appropriate vendors.
  • Notify end users of the issue, and reinforce the risk of phishing attacks.
  • Implement two factor authentication (2FA) to mitigate the use of stolen credentials.
For more details on this threat alert, please take a look at the resources below:

To learn more about how Herjavec Group can help you secure your environment, please connect with a security specialist.


For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn