Security Experts:

Phishers Use New Method to Bypass Office 365 Safe Links

Cybercriminals have been using a new method to ensure that the URLs included in their phishing emails bypass the Safe Links security feature in Office 365, cloud security company Avanan revealed on Tuesday.

Safe Links, offered as part of Microsoft’s Office 365 Advanced Threat Protection (ATP) solution, is designed to protect organizations against malicious links delivered through emails and documents. Safe Links checks the original URL to see if it has been blacklisted (by Microsoft or the ATP customer) or if it points to malware. If a malicious element is detected, the original link is replaced and users are alerted when they click on it.

Avanan says cybercriminals have found a simple way to bypass this security feature by using a <base> tag in the HTML header – basically splitting the malicious URL. Using this method, Safe Links only checks the base domain and ignores the rest – the link is not replaced and the user is allowed to access the phishing site.

Base tag phishing - Safe Links bypass

“At one time, email clients did not support the <base> tag, so every link need to be an absolute URL. Support for relative URLs in email is a recent development and the behavior is client dependent. Older email clients will ignore the <base> tag, but web-based email clients, recent desktop clients and most mobile apps will now handle the <base> tag and recombine the URL into a clickable link,” Avanan explained.

The attack method, which Avanan has dubbed “baseStriker,” works against the Outlook clients, including the web-based, mobile and desktop applications, which support the <base> header tag. Gmail is not impacted and some security solutions, such as the one provided by Mimecast, protect users against these attacks.

While Avanan has only seen this method being exploited in phishing attacks, they believe it can also be leveraged to deliver ransomware and other types of malware.

Avanan discovered the use of this attack method after seeing that some phishing emails made it past filters included in Microsoft and Proofpoint products. An investigation revealed that the malicious messages that bypassed these filters had been using the <base> tag.

“What made this attack interesting was that the URLs that were making it through were already known by the major blacklist databases that Microsoft subscribes to,” Yoav Nathaniel, Avanan research engineer, told SecurityWeek.

According to Nathaniel, a majority of the phishing messages observed by Avanan purport to be DocuSign or Office 365 links and they lead to a fake login page.

“The FROM address is customized on a per-email basis to look like the email is an internal one. The FROM: takes the form of ‘targetcompany.com <[email protected]>’ so the user will see ‘targetcompany.com’ as the name, often fooling the user into thinking it is an internal email address. The email is coming from a real email account so the sender passes SPF and DKIM,” Nathaniel said.

“The SUBJECT is customized on a per-email basis to seem like the message is an internal one. The SUBJECT is of the form ‘[email protected] has sent you a document’,” he added. “The email includes the one or more logos including Office365 or DocuSign or other document sharing service as well as the standard boilerplate text that would be expected at the bottom of such an email. The emails are well-crafted with few or no spelling mistakes.”

Microsoft has been made aware of these attacks and the company has launched an investigation.

“Microsoft has a customer commitment to investigate reported security issues and provide resolution as soon as possible,” a Microsoft spokesperson told SecurityWeek. “We encourage customers to practice safe computing habits by avoiding opening links in emails from senders they don’t recognize.”

This is not the first time researchers have found a way to bypass Safe Links. Both Avanan and others have disclosed several methods in recent months.

UPDATE. Proofpoint has clarified that its products are capable of blocking these types of attacks. Ryan Kalember, SVP of cybersecurity strategy, has provided the following statement:

“We absolutely have the ability to block base URLs on our gateways for concerned customers – that said, there is legitimate mail that uses the technique (including from banks) so this may not be the right choice for every organization. While Proofpoint Threat Operations has not identified significant usage of the technique by threat actors in the wild, we employ many layers of defense against malicious email content. URL reputation checks and URL rewriting are only one of a large set of analysis techniques used by Proofpoint’s advanced threat analytics suite, which work together to determine the potential maliciousness of an email. We will continue to monitor for the active use of this technique and can block base tag usage for concerned customers.”

Related: To Stop Phishing, Understand the Long Tail of Risk

Related: Mobile Phishing Attacks Up 85 Percent Annually

Related: Phishing Pages Hidden in "well-known" Directory

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.