Security researchers based at Avanan, a cloud security firm, have identified a specific technique through which hackers can bypass the distinct Safe Links security features of the Microsoft Office 365. The threat is known as baseStriker.
Microsoft has designed the Safe Links feature to protect all Office users from phishing attacks and malicious codes and is part of the Advanced Threat Protection (ATP) established by Microsoft.
ATP Safe Links Protection
Since the latter days of October 2017, the protection has been extended to cover URLs in both emails and in the Office 365 documents like Excel, Word, Visio files (Windows), PowerPoint on iOS, Android devices, as well as on Windows.
This security feature operates by replacing all web addresses in an incoming email with exclusive and secure Microsoft-owned URLs.
As soon as a user clicks on any link that is included in any incoming email, this security feature initially redirects the user down to a distinct Microsoft-operated domain to verify the URL for any suspicious or malicious activity.
In the event this scan detects any malicious activity, it subsequently alerts the user, otherwise redirecting them to the original website link.
About baseStriker and Its Trademark HTML Tag
According to an analysis published by Avanan, baseStriker is a name that defines the malicious tactic attackers employ to exploit this vulnerability. The vulnerability splits and then disguises malicious links via a tag known as the <base> URL tag.
This attack is, therefore, able to send malicious links which would otherwise be immediately blocked by Microsoft, through and past their exclusive security filters by splitting the website addresses into two HTML snippets: a standard href tag and a base tag.
At the heart of this newly discovered vulnerability is the distinct < base > HTML tag. It is an infrequently used tab although it is declared by developers in a web page’s/HTML document’s < head > section. It is purposed to create a base URL for relative links.
“Base” HTML Tag Not Supported by Office 365
According to the Avanan researchers, the problem with the vulnerability is that the security systems of Microsoft Office 365 do not seem to support “base URLs.” A hacker can merely send out a regular rich-text-formatted email, and unfortunately, Microsoft Office 365 will not scan or even detect any malicious content or malware that these URLs are hosting.
Outlook will correctly render such links, which means that the users can click on them and subsequently land on the original pages.
However, as for Microsoft Office 365-exclusive security systems such as ATP and Safe Links, they do not merge the relative path and the “base” URL before scanning the link; they scan each of these parts separately.
According to Avanan, the firm assessed several email services and found that Office 365 is the only service that is susceptible to baseStriker attacks.
Additionally, typical users—as well as Gmail users who are using Mimecast to protect their Office 365—are not susceptible to baseStriker, although Proofpoint is reportedly vulnerable to this issue.
baseStriker Is Popular in the Wild
baseStriker is surprisingly not just any random vulnerability which researchers have recently discovered after months of pen-testing.
Avanan states that in their research, they have only witnessed the vulnerability in use by hackers who employ it carrying out phishing attacks. Nonetheless, baseStriker can also distribute malware, ransomware, as well as malicious content.
Avanan further outlines that the firm got in touch with Microsoft and warned them of the severity of their discoveries, although Microsoft is yet to respond to how or when they would fix this problem.
Microsoft is scheduled to release their exclusive security updates for May 2018 soon, but it is uncertain whether the tech giant had ample time to address the baseStriker vulnerability.