Recent findings from security researchers indicate that some hacking groups have discovered a method to circumvent a critical security feature within Microsoft Office 365, aimed at safeguarding users from phishing and malware threats. Known as Safe Links, this feature is bundled with Microsoft’s Advanced Threat Protection (ATP) and operates by substituting URLs in incoming emails with secure, Microsoft-controlled links.
When a user clicks a link in an email, the process directs them first to a Microsoft domain where the original URL undergoes a security assessment for potential threats. If any malicious content is detected, the user is promptly alerted. If the URL is deemed safe, the user is redirected to the original site.
However, researchers from Avanan, a cloud security firm, have uncovered that attackers can exploit a vulnerability through what they describe as a “baseStriker attack.” This technique involves utilizing the <base> tag within an HTML email header, which sets a default URL for subsequent relative links in the document. By doing this, hackers can manipulate the email to obfuscate the true destination of the malicious link, allowing it to bypass Microsoft’s Safe Links safeguards.
Evidence supporting this claim was demonstrated through a comparative analysis of traditional phishing emails and those employing the <base> tag, illustrating how the latter could stealthily redirect unsuspecting victims to harmful websites. The researchers have noted that any organization using Office 365 is susceptible to this attack, regardless of whether they are utilizing the web-based client, mobile application, or desktop version of Outlook.
Video evidence of the baseStriker attack in action has also been provided, showing its practicality in real scenarios. While it has been primarily observed being used for phishing, the researchers caution that this method could also be adapted for deploying ransomware and other malicious software.
Importantly, while vulnerabilities linked to the baseStriker attack have been identified within Proofpoint’s systems, users of Gmail or those securing their Office 365 accounts with Mimecast appear to be unaffected by this issue.
Avanan reported their findings to both Microsoft and Proofpoint over the weekend, yet as of now, there is no correction or patch available to address this vulnerability.
This incident serves as a stark reminder of the evolving tactics employed by cybercriminals, underscoring the necessity for constant vigilance among business users of tech services. In light of this development, stakeholders are encouraged to reassess their cybersecurity measures, including adherence to frameworks like the MITRE ATT&CK Matrix, where techniques relevant to this attack may fall under tactics such as initial access, execution, and defense evasion. As cyber threats continue to grow in sophistication, maintaining robust cybersecurity protocols remains vital for safeguarding sensitive information.
