A Trustwave researcher has discovered a new technique to completely bypass a security feature of Microsoft Outlook and deliver a malicious link to the recipient.
The new technique, Trustwave SpiderLabs lead threat architect Reegun Richard Jayapaul explains, is a variation of a vulnerability that was initially addressed in February 2020.
Tracked as CVE-2020-0696, the initial Outlook security feature bypass would allow an attacker who uses Outlook for Mac to send specially crafted malicious links to a victim on Outlook for Windows and bypass the email delivery system’s URL protection feature.
Described as the improper handling of URI format parsing, the bug allowed an attacker on Outlook for Mac to create a legitimate link that is hyperlinked with something like file:///malciouslink (and variations such as file:/, file:, , ///, //, or /) and send it to the victim.
If the victim clicked on the link in Outlook for Windows, the email client automatically translated it to http://malciouslink, resulting in a successful attack. The attack was tested successfully in Outlook with the Safelinks feature enabled, as well as with other email security systems.
“When we send the above vector with hyperlink file:///trustwave.com, the email is delivered on the victim’s ‘Microsoft Outlook for Windows’ as file:///trustwave.com. The link file:///trustwave.com then translates to http://trustwave.com after clicking,” the researcher explains.
He later discovered that the vulnerability could also be exploited if the legitimate link is hyperlinked with “http:/://maliciouslink”, as the email system will strip the “:/” and deliver the link to the victim as “http://maliciouslink.” This attack works on both the Windows and macOS Outlook clients.
“This secondary bypass method was fixed by Microsoft during the summer of 2021, and the new update makes the URL accessible or proxied through Safelinks,” Jayapaul concludes.
Microsoft patched the vulnerabilities with client-side fixes and Outlook is automatically updated by default. However, if users have disabled automatic updates and haven’t manually updated Outlook, the method still works.
Related: Microsoft Edge Adds Security Mode to Thwart Malware Attacks
Related: Microsoft Introduces New Security Update Notifications
Related: Microsoft Office Patch Bypassed for Malware Distribution in Apparent ‘Dry Run’
More from Ionut Arghire
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- TransUnion Denies Breach After Hacker Publishes Allegedly Stolen Data
- Legit Security Raises $40 Million in Series B Financing
- Atlassian Security Updates Patch High-Severity Vulnerabilities
- Critical Infrastructure Organizations Warned of Snatch Ransomware Attacks
- Tor-Based Drug Marketplace Piilopuoti Shut Down by Law Enforcement
Latest News
- Researchers Discover Attempt to Infect Leading Egyptian Opposition Politician With Predator Spyware
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
