Connect with us

Hi, what are you looking for?


Email Security

“BadWinmail” Outlook Flaw Puts Enterprises at Risk

Organizations that haven’t installed the latest security updates from Microsoft are exposed to attacks due to a serious vulnerability found by a researcher in the Outlook email client.

Organizations that haven’t installed the latest security updates from Microsoft are exposed to attacks due to a serious vulnerability found by a researcher in the Outlook email client.

The Outlook bug (CVE-2015-6172) is one of the several security holes patched by Microsoft in December with an update for the Office software suite. According to Microsoft, an attacker can exploit this flaw using a specially crafted email to run arbitrary code with the privileges of the logged-in user and take complete control of the affected system.

Haifei Li, the security researcher who reported the problem to Microsoft, has now disclosed the details of the vulnerability, which he calls an “enterprise killer.”

Exploitation of the flaw, dubbed by the expert BadWinmail, involves Object Linking and Embedding (OLE), a Microsoft technology that allows embedding and linking to documents and other objects.

Microsoft has designed Outlook to prevent attacks that involve potentially malicious files attached to emails, and even office documents are opened and previewed in a strong sandbox called Protected View. However, Li found a way to attach malicious code to an email and get it to execute when the email is opened or previewed in Outlook.

According to the expert, a malicious actor can leverage the Transport Neutral Encapsulation Format (TNEF), a Microsoft email attachment format used by Outlook and Exchange Server, to conduct an attack. When TNEF is used, the attached file is usually named “winmail.dat,” which inspired Li to name the vulnerability BadWinmail.

TNEF can be configured so that the user’s attachment, which is included in winmail.dat, is rendered as an OLE object. This allows an attacker to create a malicious winmail.dat file containing an OLE object that is automatically loaded when the user reads the email. Furthermore, if the malicious email is the newest in the victim’s inbox, the payload is automatically executed when Outlook is launched.

Advertisement. Scroll to continue reading.

The researcher says an attacker can attach various types of exploits and OLE objects, but he demonstrated his findings using a Flash OLE object and a Flash Player vulnerability. Li has published a video to show how the attack works.

In addition to using the TNEF format, Li determined that a malicious OLE object can also be delivered via a .msg file, which is considered safe by Outlook.

In these attacks, the exploit is executed in the context of the outlook.exe process, giving the attacker the same privileges as the victim.

“Think about it, an attacker may just need a Flash zero – day exploit (and the email address, of course) to take control of a CEO’s computer for a business company – most enterprise users use Outlook every day, then he/she can read all the confidential emails and may do many more. This is absolutely an ideal technology for targeted attacks, especially in an APT era,” the researcher wrote in his paper.

“Even, an attacker may launch a ’worm’ based attack by abusing this attack vector – that doesn’t usually happen in Windows ecosystem since Vista’s release – when compromising one computer via email, the worm may gather all the contacts and then send the same exploit via email to all the contacts to spread itself,” Li explained.

At the time when it released the patch, Microsoft noted that it was not aware of any attacks attempting to exploit the vulnerability.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.