Maybe you could call it two-factor fakery.
Because the latest zero-day to plague Microsoft’s Office 365—a cloud-based service that includes Office 2016—was created by somebody who figured out that the way to get malicious emails past its security systems is to split a malicious link in two.
Researchers at the security firm Avanan, who said it “may be the largest security flaw in Office 365 since the service was created,” have named the attack baseStriker because of the method used by hackers: “splitting and disguising a malicious link using a tag called the <base> URL tag.”
In short: “The attack sends a malicious link, that would ordinarily be blocked by Microsoft, past their security filters by splitting the URL into two snippets of HTML: a base tag and a regular href tag.”
A “traditional” phishing email with a malicious URL would be blocked because Office 365 compares incoming links with known bad links. For customers who bought ATP (Advanced Threat Protection), Office 365 Safe Links also replaces the URL with a Safe Links URL that prevents the end user from going to the malicious site.
But in a baseStriker attack, the same malicious link, broken into two snippets, gets through “because the email filters are not handling the <base> HTML code correctly,” the researchers said.
“In this example, Office 365 only performs the lookup on the base domain, ignoring the relative URL in the rest of the body,” they said, adding that “in a nutshell, this attack method is the email equivalent of a virus that blinds the immune system.”
The researchers said those using only Gmail are not vulnerable but “anyone using Office 365 in any configuration is vulnerable,” including those using Proofpoint, an incoming email security vendor.
At the time of the post—May 8—Avanan said there was no fix available but recommended that users immediately implement multifactor authentication. “This will not protect from malware and other types of phishing, but will help with credential harvesting,” they said.
Avanan hasn’t been a fan of ATP Safe Links for some time. In a post last October, the company contended that attackers could get malicious emails past Safe Links with four methods: IP traffic misdirection, obfuscated URLs, making it difficult for the user to check the URL of a link to see where it goes, and using a fake Office 365 log-in page by using the domain outlook.com.
Craig Spiezle, managing director of Agelight Advisory Group and a former director of Microsoft security and privacy, said he doesn’t think Office 365 is as defenseless as Avanan suggests. “From what I know, there are other parts of the ATP stack that could catch baseStriker,” he said, adding that he had spoken to Microsoft and that a patch for the vulnerability would be released this week.
He also said he was unaware of baseStriker being exploited in the wild.
But he agreed that it is “an example of defending against an unknown, and how a determined advisory can probe software for vulnerabilities and work around them.”
Amit Sethi, senior principal consultant with Synopsys Software Integrity Group, said the unusual attack method would be hard for a defender to predict. “This was likely the result of the Office 365 protections not anticipating this mechanism of breaking up URLs,” he said.
What should users do? “They should be extremely careful about clicking on links to unknown sites sent to them via email,” Sethi said.
For short-term fixes, Spiezle recommended that users update browsers, implement inbound email authorization checks such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), and enforce DMARC (Domain-Based Message Authentication, Reporting, and Conformance) policies. “Mail that does not conform should be flagged as suspicious, blocked, and/or links disabled,” he said.
And of course, as soon as Microsoft comes out with a patch, install it.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.