Security researchers at cloud-security firm Avanan have discovered a flaw in Office 365 that enables hackers to circumvent a security feature and send malicious emails.
The design of the Safe Links feature is to protect users from malware and phishing, but unfortunately, it is doing the exact opposite. Office 365 includes Safe Links as part of the Microsoft Advanced Threat Protection (ATP). Essentially the ATP replaces any URLs in inbound emails with secure Microsoft-owned URLs.
The new revelations from Avanan reveal that hackers can bypass Safe Links using a technique called “baseStriker attack.”
According to researcher Yoav Nathaniel, this is the “largest ever flaw in Office 365… and unlike similar attacks that could be learned and blocked, using this vulnerability, hackers can completely bypass all of Microsoft’s security, including its advanced services – ATP, Safelinks, etcetera.”
BaseStriker can confuse Office 365’s ATP by splitting and hiding malicious links using a <base> URL tag. The <base> tag is used to define the base URL for all links in a web page. So, once a <base> URL is defined, then all links will use that defined link as a URL starting part.
Traditional malicious URL
Malicious URL using baseStriker Attack
The above screenshot shows HTML from the traditional malicious email versus an HTML using the <base> tag split. Safe Links is unable to identify the second partial hyperlink. The partial hyperlink can then open a malicious site.
After testing, researchers discovered that “anyone using Office 365 in any configuration is vulnerable”. This means desktop, web-based, and mobile app users of Outlook are susceptible.
What Happens Next?
Avanan has since reported this issue to Microsoft. At this time there is no available patch, and they advise users to be cautious of links from unknown senders. As a result, firms should remind all users of the importance of preventative phishing knowledge. The security firm has advised that users “enable multi-factor authentication to make it harder to take over their account. This will not protect from malware and other types of phishing, but will help with credential harvesting.”