Attention: You need to "Allow Scripts Globally" in your browser to purchase any VPN.image

baseStriker Attack Used by Hackers to Bypass Office 365 ATP Safe Links

Be aware of hacker attack. Mixed media
A newly unveiled email attack called baseStriker permits hackers to dispatch malicious emails that can bypass Microsoft Office 365 security systems.

Security researchers based at Avanan, a cloud security firm, have identified a specific technique through which hackers can bypass the distinct Safe Links security features of the Microsoft Office 365. The threat is known as baseStriker.

Microsoft has designed the Safe Links feature to protect all Office users from phishing attacks and malicious codes and is part of the Advanced Threat Protection (ATP) established by Microsoft.

ATP Safe Links Protection

Since the latter days of October 2017, the protection has been extended to cover URLs in both emails and in the Office 365 documents like Excel, Word, Visio files (Windows), PowerPoint on iOS, Android devices, as well as on Windows.

This security feature operates by replacing all web addresses in an incoming email with exclusive and secure Microsoft-owned URLs.

As soon as a user clicks on any link that is included in any incoming email, this security feature initially redirects the user down to a distinct Microsoft-operated domain to verify the URL for any suspicious or malicious activity.

In the event this scan detects any malicious activity, it subsequently alerts the user, otherwise redirecting them to the original website link.

About baseStriker and Its Trademark HTML Tag

According to an analysis published by Avanan, baseStriker is a name that defines the malicious tactic attackers employ to exploit this vulnerability. The vulnerability splits and then disguises malicious links via a tag known as the <base> URL tag.

This attack is, therefore, able to send malicious links which would otherwise be immediately blocked by Microsoft, through and past their exclusive security filters by splitting the website addresses into two HTML snippets: a standard href tag and a base tag.

At the heart of this newly discovered vulnerability is the distinct < base > HTML tag. It is an infrequently used tab although it is declared by developers in a web page’s/HTML document’s < head > section. It is purposed to create a base URL for relative links.

“Base” HTML Tag Not Supported by Office 365

Microsoft Office 365 on the web under magnifying glass.
Security researchers based at Avanan, a cloud security firm, have identified a specific technique through which hackers can bypass the distinct Safe Links security features of the Microsoft Office 365.

According to the Avanan researchers, the problem with the vulnerability is that the security systems of Microsoft Office 365 do not seem to support “base URLs.” A hacker can merely send out a regular rich-text-formatted email, and unfortunately, Microsoft Office 365 will not scan or even detect any malicious content or malware that these URLs are hosting.
Outlook will correctly render such links, which means that the users can click on them and subsequently land on the original pages.

However, as for Microsoft Office 365-exclusive security systems such as ATP and Safe Links, they do not merge the relative path and the “base” URL before scanning the link; they scan each of these parts separately.

According to Avanan, the firm assessed several email services and found that Office 365 is the only service that is susceptible to baseStriker attacks.

Additionally, typical users—as well as Gmail users who are using Mimecast to protect their Office 365—are not susceptible to baseStriker, although Proofpoint is reportedly vulnerable to this issue.

baseStriker Is Popular in the Wild

baseStriker is surprisingly not just any random vulnerability which researchers have recently discovered after months of pen-testing.

Avanan states that in their research, they have only witnessed the vulnerability in use by hackers who employ it carrying out phishing attacks. Nonetheless, baseStriker can also distribute malware, ransomware, as well as malicious content.

Avanan further outlines that the firm got in touch with Microsoft and warned them of the severity of their discoveries, although Microsoft is yet to respond to how or when they would fix this problem.

Microsoft is scheduled to release their exclusive security updates for May 2018 soon, but it is uncertain whether the tech giant had ample time to address the baseStriker vulnerability.

Leave a Reply

Name (required)

Email (required)

Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Send this to a friend