Since the first successful phishing attack, we have trained our email users to be suspicious of every URL before clicking. Microsoft’s Advanced Threat Protection (ATP) includes a feature called Safe Links that belies decades of efforts by implying it is safe to click on every ‘safe’ link. Even if users exercise a healthy amount of suspicion, Safe Links hides the clues they might use to identify a dangerous email.
Microsoft's technology to make email safer has the opposite effect. In this blog, we demonstrate four ways in which Safe Links actually makes it more likely that a user will fall for a phishing attack.
What are Microsoft Safe Links?
Microsoft Safe Links replaces the URLs in an incoming email with URLs (*.outlook.com) that allow Microsoft to scan the original link for anything suspicious and redirect the user only after it is cleared. For example, an email containing a link to www.avanan.com, will be replaced with:
Once the end-user clicks the link, Microsoft ATP scans the location to ensure it isn’t malicious before redirecting the end-user's browser. It checks if that destination domain:
- is not on a custom blacklist created by the organization.
- is not on Microsoft’s blacklist.
If the URL leads to an attachment, the attachment will be scanned by Microsoft for malware.
If the URL is deemed unsafe based on any of the above, the user is taken to a page displaying a warning message asking them if they wish to continue to the unsafe destination.
If the URL is deemed to be safe based on the criteria, then the user will be redirected to the destination URL.
Why Microsoft Safe Links are Unsafe
Although Safe Links is a seemingly logical method of combating phishing, it has major shortcomings that end up making your email less secured from phishing attacks.
1. Safe Links bypassed with IP traffic misdirection
As mentioned before, Microsoft follows links to determine their risk before allowing the user to navigate to them. However, Microsoft follows the Safe Links from special IP addresses that are easily distinguished from end user requests. The hackers created and shared their own Microsoft IP's blacklist with those IP addresses here. So, when the request is coming from a Microsoft IP, it is redirected to a benign page and Microsoft's ATP clears it. But then it redirects the user straight to the malicious URL.
2. Safe Links bypassed using obfuscated URLs
Another weakness of the Safe Links scan is that it doesn’t apply Safe Links to domains that are whitelisted by Microsoft (popular sites like Google.com are given a pass). It may sound like it makes sense, but it opens the door for another common trick named "Open Redirect". For example, this link:
will not be changed by Office 365 Safe Link since Google search is whitelisted. But Google will also not check this link for malicious content (they never claim to) and the end-user will be redirected right into the malicious site. Here's a recent phishing attack that used this trick: Office 365 Security Hacked Using Google Redirect Vulnerability.
So why does "Safe Links" make us less safe in this case? The security team and end-users are lulled into a false sense of security, believing that "Microsoft ATP will take care of them" and are less likely to think twice before clicking the link.
3. It makes it impossible to know where the link is going
Even if users want to exercise due diligence when clicking a link, Safe Links makes it more difficult to check the URL themselves. The link is rewritten as an extremely complex redirect, making it difficult to parse.
Here's an example from real life—look at the two links below and attempt to discern which leads to the real UPS site and which is from a fake phishing attack.
Which one of these is safe? (Answer on bottom of page)
4. Users more likely to 'login' on a Fake O365 login page if the domain is outlook.com
It is no secret that many phishing attacks try to steal the end-user credentials through fake Office 365 login pages. The users that will check where the link is going to will see a URL in "*.outlook.com", a Microsoft registered domain name. This can lead to users falling for attack as they are more likely to enter their credentials into a page that looks to be hosted on a known Microsoft domain.
Because Safe Links purports to protect users from malicious links, users do not approach them with the same skepticism as they would without ATP. It creates a false feeling of security that users are misled to rely on. As the hackers already implement the methods described above to bypass ATP, if users stop exercising the caution they were trained to exercise, your organization ends up being less secure. "Safe Links" trains the users to be less cautious when clicking links and provides little, real security value.
What can be done?
API based anti-phishing tools such as Avanan scan your emails before they reach the inbox and then continue to scan, in case the URL becomes a threat after the fact. Instead of waiting until the user clicks, Avanan will rewrite or remove the malicious email immediately.
Below is an example of what Avanan’s Smart Phish anti-phishing tool caught on a link that was deemed safe by Microsoft ATP’s Safe Links.
Beyond just checking against Microsoft’s blacklist, Avanan's Smart Phish Machine Learning altorighm cross-correlated over 300 indicators, some taking input from multiple best of breed security vendors, some by analyzing other email and link features—such as traffic level to the destination URL, suspicious language, reputation of the sender, and reputation of the domain host—to determine most accurately whether this is a phishing scam or legitimate email.
(The answer to which is the ‘safe’ Safe Link: the first is legitimate. The second one goes to the malicious site webtracking.email.)