baseStriker: Office 365 Security Fails To Secure 100 Million Email Users
- Posted by
Yoav Nathaniel on May 8, 2018
Update: Microsoft has repaired this vulnerability on 5/16/18, two weeks after we first reported it to them.
We recently uncovered what may be the largest security flaw in Office 365 since the service was created. Unlike similar attacks that could be learned and blocked, hackers can use this vulnerability to completely bypass all of Microsoft’s security, including its advanced services like ATP or Safe Links.
The name baseStriker refers to the method hackers use to take advantage of this vulnerability: splitting and disguising a malicious link using a tag called the <base> URL tag.
So far, we have only seen hackers exploit this vulnerability to send phishing attacks, but it is also capable of distributing ransomware, malware, and other malicious content.
How a baseStriker Attack Works
The attack sends a malicious link (that would ordinarily be blocked by Microsoft) past their security filters by splitting the URL into two snippets of HTML: a base tag and a regular href tag. Here's a short video showing how it works:
Traditional Phish: this html email would be blocked because the URL is known to be malicious.
When scanning this, Office 365 sees the malicious URL, performs a lookup against a list of known bad links, and blocks it. Office 365 Safe Links, for customers who purchased ATP, also replaces the URL with a "Safe Link" URL and prevents the end-user from going to the phishing site.
Phish using baseStriker method: This email, however, has the same malicious link presented to the end-user but is let through because the email filters are not handling the <base> HTML code correctly.
In this example, Office 365 only performs the lookup on the base domain, ignoring the relative URL in the rest of the body. Because only part of the URL is tested, it mistakenly appears to not exist in the malicious URL database and the email is let through. Furthermore, Safe Links does not replace the malicious link, so the still gets the original malicious link phishing page.
In a nutshell, this attack method is the email equivalent of a virus that blinds the immune system. So even if the attack is already known, Microsoft does not have a way to see it and lets it through.
Secure against baseStriker and similar attacks with Avanan
- 5/1/2018: Avanan identified attackers are leveraging a critical vulnerability in Microsoft Office 365 email service that allows them to completely bypass O365 built in security
- 5/2/2018 11:00am: Avanan reported this issue to Microsoft
- 5/2/2018 11:00am: Avanan tested Gmail and it does not suffer from this vulnerability
- 5/2/2018 11:30am: Avanan tested Mimecast and Proofpoint.
- Mimecast is not vulnerable to baseStriker.
- Proofpoint has the same vulnerability. Therefore, if you use Proofpoint you are not secured. We informed Proofpoint at 11:44am EDT on May 2nd, 2018.
- 5/16/2018 11:30am: Microsoft has fixed the vulnerability after 14 days