Outlook 365 is a cloud-based email service designed to help meet your organization’s needs for robust security, reliability, and user productivity. It is widely used by enterprises globally for its ease of use, seamless integration, mobile access, and enhanced productivity.
When you move your organization to a cloud service, you must be able to trust your service provider with your most important, sensitive, and confidential data. Microsoft has robust policies, controls, and systems built into Outlook 365 to help keep your information safe. Microsoft’s security team is world class and it covers physical and network security for your email infrastructure. If you migrated from an on-premise/hybrid cloud setup of Outlook to cloud based Outlook 365, then congratulations. But while Outlook 365 offers a number of built-in data protection features, those features alone are usually not enough for the robust security posture required by the modern enterprise.
Let’s examine a recently discovered Outlook 365 vulnerability and how you can securely configure your Outlook setup to thwart this and similar future vulnerabilities.
Security researchers revealed an attack method to bypass a security feature of Microsoft Outlook 365, which is originally designed to protect users from malware and phishing attacks. Safe Link, part of Microsoft's Advanced Threat Protection (ATP) offering, works by replacing all URLs in an incoming email with Microsoft-owned secure URLs. Every time a user clicks on a link provided in an email, it first sends the user to a Microsoft owned domain, where it immediately checks the original URL for anything suspicious. If Microsoft's scanners detect any malicious element, it then warns users about it, and if not, it redirects the user to the original link.
The baseStriker attack sends a malicious link, which would ordinarily be blocked by Microsoft, past security filters by splitting the URL into two snippets of HTML: a base tag and a regular hypertext reference tag. The malicious URL is let through because the email filters are not handling the base HTML code correctly. ATP only performs the lookup on the base domain, and ignores the URL in the rest of the body. Because only part of the URL is tested, it mistakenly appears to not exist in the malicious URL database and the email is let through. Furthermore, Safe Link does not replace the malicious link. Consequently, the user gets the original malicious link and can click it to navigate to the phishing page.
In summary, this attack method may be the most severe security flaw in Outlook 365 since the service was created. Unlike other attacks that can be learned and blocked, this vulnerability allows hackers to completely bypass all of Microsoft’s security features and is the email equivalent of a virus that blinds the immune system. Even if the attack is already known, Microsoft does not have a way to see it and lets it through. We have only seen hackers using this vulnerability to send phishing attacks, but it is also capable of distributing ransomware, malware and other malicious content…potentially unleashing risks that its users have not been accustomed to on the platform.
Defense in Depth to Protect Outlook 365
There is no single solution to mitigate the attack described above and it is an example of a failure of controls at many levels. You cannot rely on a single Outlook 365 security feature, such as Safe Links, to reduce the likelihood of that attack, or any other, being successful. A layered defensive strategy using multiple Microsoft security features and controls stands a much better chance of preventing the attacker from succeeding.
The initial phishing attack can be mitigated using Microsoft EOP (Exchange Online Protection) and ATP. These security features go beyond just Safe Links, which was the source of the reported vulnerability. An attacker's email has to make it past every layer of EOP and ATP to successfully reach a user’s Inbox. It may also be removed from an Inbox by ATP if it is later determined that it was malicious, potentially before the user has even read it.
The user credential reuse risk can be mitigated by Azure Identity Protection. When Microsoft becomes aware of a breach containing a re-used set of credentials, you can have Azure Identity Protection alert you and automatically force the user's password to be reset. That security feature can also identify suspicious login patterns, such as an attacker logging in from a remote country. Azure Identity Protection is just one way to mitigate the re-use of compromised user credentials. Another security feature is enabling MFA (multi-factor authentication), which prevents user credentials being used by anyone but the account owner. Azure Active Directory conditional access can enforce MFA and other conditions on logins, such as requiring all logins to originate from trusted devices.
If the attacker manages to gain remote access to a user's computer, Windows Defender ATP can detect the suspicious behavior of the attacker's exploit tools and alert you to the breach immediately. If the attacker is performing reconnaissance of your network and attempting privilege escalation, Azure ATP can alert you to that suspicious activity immediately. On the chance that the attacker still manages to figure out who to send a phishing email to, the use of MFA and other identity protection measures mentioned earlier prevents them from directly exploiting a mailbox. That leaves them with email spoofing or impersonation as a vector, which can be mitigated with ATP once again.
All of those security measures mentioned above must be evaluated, tested, and deployed to be effective and some of them require additional investment in licenses. Unfortunately, there isn’t a single button to push that will turn on all of those security features; some of the features work in isolation, some of them are tightly integrated with other features. All of them work together to secure your organization’s Outlook 365 setup.
baseStriker is a perfect example of a very simple exploit which has a huge possibility to cause significant damage to your organization. As more organizations move further into cloud offerings, we will need keep more aware of the potential security risks and remain vigilant.