A zero-day vulnerability in the way Office 365 scans incoming emails can let malicious content get through to users’ inboxes.
It demonstrates why it’s so important to have a multi-layered approach to email security that includes not just content filtering, but also domain-based email authentication and other techniques.
The newly discovered vulnerability, known as baseStriker, lets spammers and phishers embed links to malicious sites into their emails. These links escape the usual content-filtering mechanisms in Office 365.
How the BaseStriker Zero-Day Works
It does so by using the little-known <base> tag in the header of the message, which lets senders declare a “base URL” that will be prepended onto any relative URL paths found in the body of the message.
As Bleeping Computer reports, “Office365 security systems like Advanced Threat Protection (ATP) and Safelinks do not merge the base URL and the relative path together before they scan the link — scanning each part separately.” As a result, a link that would normally trigger these content scanners can slip through undetected.
The security researchers at Avanan who discovered the zero-day vuln say that it is not just theoretical: They have seen it being used in the wild.
“So far we have only seen hackers using this vulnerability to send phishing attacks, but it is also capable of distributing ransomware, malware and other malicious content,” they wrote.
The vulnerability affects a wide range of users, Avanan writes:
We have tested the vulnerability on several configurations and found that anyone using Office 365 in any configuration is vulnerable. If you are using Gmail, you don’t have this issue. If you are protecting Office 365 with Mimecast you are secure. Proofpoint is also vulnerable – if you are using Proofpoint you also have this problem.
How to Protect Your Organization
At this time there is no technical fix, so Avanan recommends reminding end-users about the dangers of clicking on links. It also suggests ensuring that multi-factor authentication (MFA) is enabled for key accounts, and recommends “adding a layer of email security for malware, phishing, and account take-over.”
In addition, we recommend organizations enable email authentication for their own domains and set it to an enforcement policy (a DMARC policy of p=reject or p=quarantine) in order to prevent phishers from impersonating executives or staff — a key angle of attack that has cost companies billions in the past few years.
You also need to be certain that inbound mail is being scanned for its DMARC status. Fortunately, if your organization is using Office 365, you should have inbound DMARC protection by default. With most mail servers, messages that fail DMARC will be rejected (deleted) if the domain owner has set a p=reject policy, and sent to spam folders if the owner has set a p=quarantine policy. Microsoft has set O365 so that failing messages will be marked as spam even if the domain owner’s policy is p=reject. However, this does keep those messages out of users’ inboxes, which greatly reduces their risk.
Domain-Based Authentication: The First Line of Defense
While domain-based authentication with DMARC by itself does not stop malicious links, it does ensure that senders are who they appear to be. That greatly reduces your risk profile, because the majority of phishing attacks use impersonation to gain the recipient’s trust and evade detection. According to data from Proofpoint, Mimecast, and others, two-thirds of phishing is same-domain impersonation, so DMARC is a critical first line of defense in a layered strategy, allowing other layers to be more targeted and effective.
In other words, the best defense is a layered defense:
- Domain-based email authentication to ensure senders’ identities
- Secure email gateway (SEG) technology like Microsoft’s ATP, Proofpoint, and Mimecast to stop malicious content
- User training to reduce the likelihood of clicking on any bad links that do get through
- Other security controls like MFA, threat detection, etc.
To learn more: Find out about how SEGs and email authentication complement one another.
Top photo by Aaron Yoo/Flickr