Hackers are using a new method to ensure that the URLs included in their phishing emails bypass the Safe Links security feature in Office 365.
For those who don’t know safe links represent a feature offered as part of Microsoft’s Office 365 Advanced Threat Protection (ATP) solution which is designed to protect companies against malicious links delivered through emails and documents.
How Safe Links feature works?
Safe Links verifies the original URL to see if it has been blacklisted or if it points to malware. If a malicious link is detected, the original link is replaced and users are alerted when they click on it.
Now cybercriminals have found a simple and ingenious trick to bypass this cybersecurity feature by using a <base> tag in the HTML header, basically splitting the malicious URL. By doing this, Safe Links only checks the base domain and ignores the rest, leaving the user exposed to access the phishing site.
This new cyber attack method, named “baseStriker,” works with all the Outlook clients, including the web-based ones, mobile, and desktop applications, which support the <base> header tag. However, Gmail is not affected by this cyber attack.
For now, researchers have only found this method being exploited in phishing attacks, but they believe it can also be used to deliver ransomware and other types of malware, so be very careful when you access links received via email.
This attack method is used in more and more phishing emails which can go unnoticed by filters included in Microsoft products.
This kind of malicious emails can be easily evaded by installing a cybersecurity solution like an antivirus for Windows or antivirus for Mac, chose depending on which OS the device is running. Besides this, a company must hire a cybersecurity firm that will lunch, on purpose, various attacks on company’s network to reveal its flaws. Attacks like this are made through specialized cybersecurity tests like penetration test and ethical hacking tests.
What makes this attack even more interesting is that the URLs that are making it through are already known by the significant blacklist databases that Microsoft subscribes to.
Be aware! The majority of those phishing messages are in fact fake DocuSign or Office 365 links and they lead to a fake login page.
Every FROM address is customized on a per-email basis to look like the email is an internal one. The FROM: takes the form of ‘targetcompany.com <[email protected]>’ so the victim will see ‘targetcompany.com’ as the name, often fooling the user into thinking it is an internal email address. Every email from this attack is coming from a real email account so the sender easily passes SPF and DKIM.
The SUBJECT is also altered to look like the message is an internal one. The SUBJECT is of the form ‘[email protected] has sent you a document’. Every email contains one or more logos including Office365 or DocuSign or other document sharing service as well as the standard boilerplate text that is expected at the bottom of such an email. The emails are well-crafted with few or no spelling mistakes.
Now Microsoft is aware of these attacks, and the company has launched an investigation and will provide a resolution as soon as possible. Until then we encourage customers to practice safe computing habits by avoiding opening links in emails from senders they don’t recognize.
Because we want you to be safe and secured against cyber threats like this, depending on which version of OS your device run, you must install an antivirus for Windows or antivirus for Mac.
Companies should also make sure that they hire a professional cybersecurity firm that will run various cybersecurity tests on company’s network to implement only the best possible cybersecurity solution. Remember that tests like penetration test and ethical hacking tests should be mandatory for every company.