Threat Advisory: Office 365 Zero-Day Used in Real-World Phishing Campaigns
May 9, 2018
Security researchers have revealed that a zero-day vulnerability found in the SafeLinks feature of Microsoft Office 365 may allow hackers to send malicious emails that bypass security systems on Office 365 accounts.
SafeLinks is included in the Office 365 software as as part of Microsoft's Advanced Threat Protection (APT) solution, originally designed to protect users from malware and phishing attacks, by replacing all URLs in an incoming email with Microsoft-owned secure URLs. When a user clicks on any link, they are directed to a Microsoft-owned domain, where the original URL is checked thoroughly for anything suspicious. If malicious content is detected, the user is warned and if there is no malicious activity, the user is re-directed to the original URL destination.
Known as baseStriker, this zero-day flaw involves the use of the <base> tag, used to establish a base URL for all relative links, found in the <head> section of a web page. If a base URL is used, when a subsequent link is clicked, the browser merges the base URL and the relative link to direct the user to the URL destination.
However, baseStriker takes advantage of the fact that security systems of Office 365 don't support base URLs. Therefore, hackers are able to bypass the SafeLinks security feature and redirect victims to the phishing site when clicked. Researchers compared the HTML code of a traditional phishing email, which would be blocked normally by SafeLinks, with one that exploits the baseStriker vulnerability, in which the link fails to identify and replace the partial hyperlink:
Please consult the table below to see if your Office 365 system is affected by baseStriker.
I am using | Am I vulnerable to baseStriker? |
---|---|
Office 365 | Yes - you are vulnerable |
Office 365 with ATP and Safelinks | Yes - you are vulnerable |
Office 365 with Proofpoint and MTA | Yes - you are vulnerable |
Office 365 with Mimecast MTA | No - you are safe |
Gmail | No - you are safe |
Gmail with Proofpoint MTA | Still in testing and will be updated soon |
Gmail with Mimecast MTA | No - you are safe |
Recommendations:
At this point, Herjavec Group recommends taking the following steps:
- Since there are no patches against baseStriker currently available, monitor regularly and install patches as soon as possible upon availability from the appropriate vendors.
- Notify end users of the issue, and reinforce the risk of phishing attacks.
- Implement two factor authentication (2FA) to mitigate the use of stolen credentials.
For more details on this threat alert, please take a look at the resources below:
- Hackers Found Using A New Way to Bypass Microsoft Office 365 Safe Links
- Office 365 Zero-Day Used in Real-World Phishing Campaigns
- baseStriker: Office 365 Security Fails To Secure 100 Million Email Users
To learn more about how Herjavec Group can help you secure your environment, please connect with a security specialist.
For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.