Microsoft Outlook is built for productivity. That means they offer helpful tools designed to supercharge and streamline daily work.
Despite the good intentions of these tools, they are not built for security. Hackers have found a way to use these features against end-users.
In this attack, hackers can send spoofed emails to their targeted end-user. On the back-end, Outlook grabs and displays valid Active Directory details for the spoofed user, creating a veneer of legitimacy.
The end-user sees an email that looks like it comes from a real user, not knowing that it is spoofed.
Starting in December 2021, Avanan observed how the productivity tools of Outlook are being used as a way to hack users. In this attack brief, Avanan will analyze this social engineering campaign and how Outlook makes the impersonator appear more credible.
In this attack, hackers took advantage of a feature in Outlook that's designed for productivity but ends up making impersonators appear more credible.
- Vector: Email
- Type: Credential Harvesting
- Techniques: Social Engineering, Impersonation
- Target: Any end-user
To use the productivity tools against users, all hackers have to do is send a spoofed email. For example, if they have a private server, they can craft an email that pretends to come from another sender; in other words, a domain impersonation attack.
In this case, we tested a simple email that spoofed a user:
This is a simple example of a spoofed email that got into the inbox.
Should this email get past security layers, as domain impersonations sometimes do, Outlook will present it as a real email from the spoofed person, including showing off the legitimate Active Directory details. That includes photos, files shared between users, legitimate email addresses, and phone numbers.
In a bid to be helpful, Outlook displays valid Active Directory details, even on spoofed emails.
To the end-user, this conveys legitimacy. They can see all the times they have communicated together, the files shared, even their picture. That makes a social engineering attack even more difficult to stop.
In this email attack, hackers have taken advantage of the ways that Outlook prioritizes productivity over security.
The Outlook client, according to Avanan researchers, does not do email authentication, such as SPF or DKIM checks. That is up to the security layers before the inbox.
Because of that, if the email gets into the inbox, Outlook does the work for the hacker, displaying accurate Active Directory details.
Spoofing is also made easier, because Microsoft does not require verification before updating the user image on an email, and it will display all contact data for a user, even if that user has an SPF fail.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Ensure your organization has layered security before the inbox
- Employ an email security solution that scans files and links and measures domain risk
- Protect all applications that interact with the Active Directory, such as Teams and SharePoint
- Follow several steps, outlined here, to configure settings in O365 to better protect against spoofing