May 9, 2018

Threat Advisory: Office 365 Zero-Day Used in Real-World Phishing Campaigns

Security researchers have revealed that a zero-day vulnerability found in the SafeLinks feature of Microsoft Office 365 may allow hackers to send malicious emails that bypass security systems on Office 365 accounts.

SafeLinks is included in the Office 365 software as as part of Microsoft’s Advanced Threat Protection (APT) solution, originally designed to protect users from malware and phishing attacks, by replacing all URLs in an incoming email with Microsoft-owned secure URLs. When a user clicks on any link, they are directed to a Microsoft-owned domain, where the original URL is checked thoroughly for anything suspicious. If malicious content is detected, the user is warned and if there is no malicious activity, the user is re-directed to the original URL destination.

Known as baseStriker, this zero-day flaw involves the use of the <base> tag, used to establish a base URL for all relative links, found in the <head> section of a web page. If a base URL is used, when a subsequent link is clicked, the browser merges the base URL and the relative link to direct the user to the URL destination. 

However, baseStriker takes advantage of the fact that security systems of Office 365 don’t support base URLs. Therefore, hackers are able to bypass the SafeLinks security feature and redirect victims to the phishing site when clicked. Researchers compared the HTML code of a traditional phishing email, which would be blocked normally by SafeLinks, with one that exploits the baseStriker vulnerability, in which the link fails to identify and replace the partial hyperlink: 

Please consult the table below to see if your Office 365 system is affected by baseStriker. 

   I am using
   Am I vulnerable to baseStriker?
   Office 365    Yes – you are vulnerable
   Office 365 with ATP and Safelinks   Yes – you are vulnerable
   Office 365 with Proofpoint and MTA   Yes – you are vulnerable
   Office 365 with Mimecast MTA   No – you are safe
   Gmail   No – you are safe
   Gmail with Proofpoint MTA   Still in testing and will be updated soon
   Gmail with Mimecast MTA   No – you are safe

At this point, Herjavec Group recommends taking the following steps:

  • Since there are no patches against baseStriker currently available, monitor regularly and install patches as soon as possible upon availability from the appropriate vendors.
  • Notify end users of the issue, and reinforce the risk of phishing attacks.
  • Implement two factor authentication (2FA) to mitigate the use of stolen credentials.
For more details on this threat alert, please take a look at the resources below:

To learn more about how Herjavec Group can help you secure your environment, please connect with a security specialist.

For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.

About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Consulting, Identity & Access Management, Managed Security Services, and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom, and Canada. For more information, visit

Stay Informed 

  rhsm-3  Follow us on Twitter

  rhsm-2  Connect with us on LinkedIn


*By selecting one of the communications above, you consent to Herjavec Group
 sending commercial electronic messages to you for marketing purposes, including information about the products, services and events selected.