Cybercriminals have been using a new method to ensure that the URLs included in their phishing emails bypass the Safe Links security feature in Office 365, cloud security company Avanan revealed on Tuesday.
Safe Links, offered as part of Microsoft’s Office 365 Advanced Threat Protection (ATP) solution, is designed to protect organizations against malicious links delivered through emails and documents. Safe Links checks the original URL to see if it has been blacklisted (by Microsoft or the ATP customer) or if it points to malware. If a malicious element is detected, the original link is replaced and users are alerted when they click on it.
Avanan says cybercriminals have found a simple way to bypass this security feature by using a <base> tag in the HTML header – basically splitting the malicious URL. Using this method, Safe Links only checks the base domain and ignores the rest – the link is not replaced and the user is allowed to access the phishing site.
“At one time, email clients did not support the <base> tag, so every link need to be an absolute URL. Support for relative URLs in email is a recent development and the behavior is client dependent. Older email clients will ignore the <base> tag, but web-based email clients, recent desktop clients and most mobile apps will now handle the <base> tag and recombine the URL into a clickable link,” Avanan explained.
The attack method, which Avanan has dubbed “baseStriker,” works against the Outlook clients, including the web-based, mobile and desktop applications, which support the <base>header tag. Gmail is not impacted and some security solutions, such as the one provided by Mimecast, protect users against these attacks.
While Avanan has only seen this method being exploited in phishing attacks, they believe it can also be leveraged to deliver ransomware and other types of malware.
Avanan discovered the use of this attack method after seeing that some phishing emails made it past filters included in Microsoft and Proofpoint products. An investigation revealed that the malicious messages that bypassed these filters had been using the <base> tag.
“What made this attack interesting was that the URLs that were making it through were already known by the major blacklist databases that Microsoft subscribes to,” Yoav Nathaniel, Avanan research engineer, told SecurityWeek.
According to Nathaniel, a majority of the phishing messages observed by Avanan purport to be DocuSign or Office 365 links and they lead to a fake login page.
“The FROM address is customized on a per-email basis to look like the email is an internal one. The FROM: takes the form of ‘targetcompany.com <firstname.lastname@example.org>’ so the user will see ‘targetcompany.com’ as the name, often fooling the user into thinking it is an internal email address. The email is coming from a real email account so the sender passes SPF and DKIM,” Nathaniel said.
“The SUBJECT is customized on a per-email basis to seem like the message is an internal one. The SUBJECT is of the form ‘email@example.com has sent you a document’,” he added. “The email includes the one or more logos including Office365 or DocuSign or other document sharing service as well as the standard boilerplate text that would be expected at the bottom of such an email. The emails are well-crafted with few or no spelling mistakes.”
Microsoft has been made aware of these attacks and the company has launched an investigation.
“Microsoft has a customer commitment to investigate reported security issues and provide resolution as soon as possible,” a Microsoft spokesperson told SecurityWeek. “We encourage customers to practice safe computing habits by avoiding opening links in emails from senders they don’t recognize.”
This is not the first time researchers have found a way to bypass Safe Links. Both Avanan and others have disclosed several methods in recent months.