In March of 2023, Microsoft confirmed a zero-click attack in Outlook that would compromise the end-user without them doing anything. They don’t need to click a link or respond or even open the email. All they need to do is receive it for the malicious code to compromise the endpoint.
Now, researchers have found two additional security vulnerabilities in Outlook that, individually or combined, can create zero-click exploits.
The first bypass is related to the original vulnerability we wrote about in March. That was triggered when an email was sent with a custom notification sound, like a calendar reminder. Microsoft patched it, but researchers found a bypass, allowing for another zero-click attack The vulnerability has to do with the Windows path paring code, which leads to the bypass of MapUrltoZone. This can lead to the leakage of NTLM credentials.
The next bypass has to do again with the custom sound feature. It works by actually triggering the first vulnerability, sending a custom sound file on the target to take advantage of Outlook’s reminder sound. Combining the two leads to a full-on remote code execution on the end-user machine.
So we have two potential exploits. The first one can be used to once again leak NTLM credentials. The second one when combined with the first, can lead to a zero-click code execution.
To kick off the exploitation, it starts with an email to an Outlook client.
It’s important to note that machines with the October 2023 software updated from Microsoft are protected and those that use Exchange serves patched with the March 2023 software updated are protected as well. The vulnerabilities were disclosed by researchers to Microsoft and subsequently addressed.
When we first wrote about this, we talked about the importance of prevention first, which has always been our ethos. We've explained to customers the importance of blocking attacks before an end-user has a chance to get compromised.
This is important because these zero-click attacks—which are increasing in fervor and number—are potentially devastating against the new wave, of post-delivery API solutions.
The promise of API-based, post-delivery remediation vendors is simple: we’ll remediate a malicious email before an end-user even gets a chance to see it. It’ll happen in milliseconds, according to vendor literature, so that it doesn’t even matter that the malicious email hits the inbox. The user will never even see it. Who can act on an email in a millisecond?
This has its problems in practice, which we’ve detailed extensively. Most emails aren’t remediated in milliseconds.
But taking that off the table for the moment—regardless of how fast the email is remediated, these solutions are helpless against zero-click attacks. That’s because these attacks are done without any interaction by the end user, and the attack process happens as soon as Outlook processes the email.
As soon as Outlook processes the email, it’s game over.
That’s too late. Even if it takes one millisecond to remediate, that’s a millisecond too late, since this happens the very instant the email is received by Outlook.
It doesn’t matter how fast your remediation is. You can’t remediate what’s already done.
We stop malicious messages before Outlook processes them. So it doesn’t matter whether the user doesn’t have to interact with it or not. We block before it comes into play.
Zero-click attacks are, we predict, going to become a bigger part of our lexicon in 2024.
And it’s why prevention is so critical. Protect before it happens. Not after it’s too late.
