The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

Security researchers are exploiting a new zero-day vulnerability in Office 365 that enables hackers to bypass security systems to send malicious emails.

Dubbed BaseStriker by the researchers at security firm Avanan, the flaw affects the way that Office 365 servers handle incoming emails.

“We recently uncovered what may be the largest security flaw in Office 365 since the service was created,” said researcher Yoav Nathaniel.

He continued: “Unlike similar attacks that could be learned and blocked, using this vulnerability hackers can completely bypass all of Microsoft’s security, including its advanced services – ATP, Safelinks, etcetera.”

The researcher explained that the bug affects the HTML ‘base’ tag, which developers use to generate a base URL for links throughout an HTML page.

As Mozilla explains, these tags are “used throughout the document for relative URL addresses.

“If this attribute is specified, this element must come before any other elements with attributes whose values are URLs. Absolute and relative URLs are allowed,” it explains.

Hence, once a base URL (such as is established, the HTML only needs to specify an extension (such as /office365/image) – for example, for a series of images.

However, according to the Avanan researchers, base URLs are unsupported by Office 365’s security systems, which represents a loophole that hackers have started exploiting, according to Avanan.

Essentially, they can create rich-text-formatted emails and fill them with a base URL littered with a series of malware-laden extensions, which would slip through Office 365’s defences.

“The attacker sends a malicious link, which would ordinarily be blocked by Microsoft, past their security filters by splitting the URL into two snippets of HTML: a ‘base’ tag and a regular ‘href’ tag,” explained the company.

When a user gets the email, these links would look genuine. And if they clicked on one, it would take them to the correct page.

But the issue here is that Microsoft’s Advanced Threat Protection (ATP) and Safelinks systems do not have the ability to scan and merge base URLs, and check the accordingly.

“When scanning this, Office 365 sees the malicious URL, performs a lookup against a list of known bad links, and blocks it. Office 365 Safelink, for customers that purchased ATP, also replaces the URL with a Safelink URL and prevents the end-user from going to the phishing site,” it added.

“This email, however, has the same malicious link presented to the end-user but is let through because the email filters are not handling the ‘base’ HTML code correctly.”

Nathaniel explained that the Office 365 is the only email service to be affected by the vulnerability and that the firm has contacted Microsoft.

What are you doing to protect your business from ransomware attacks?

Original Story Source: Computing