Your IT Consultant

Information Technology Blog
by John W. Simek, Vice President of Sensei Enterprises, Inc.

Microsoft Safe Links – Not so Safe

May 9, 2018

It's really, really hard to stay ahead of the bad guys. Just ask Apple how many times it has released a new version of iOS only to have jailbreak code released within days if not hours. Microsoft is one of the latest victims of to be attacked.

Office 365 has a feature that is designed to protect users from phishing and malware attacks called Safe Links, which is a part of Microsoft's Advanced Threat Protection (ATP). Hackers have figured out a way to get around Safe Links. Essentially, Safe Links takes all hyperlinks in a message and converts them to Microsoft controlled URLs. Cloud security researchers from Avanan have revealed how hackers are bypassing Safe Links by using a technique called the "baseStriker attack." BaseStriker attack involves using the <base> tag in the header of an HTML email—which is used to defines a default base URI, or URL, for relative links in a document or web page. Basically, the message code defines a reference point for subsequent URLs. If you're not a programmer, the post on The Hacker News gives a detailed explanation.

At the end of the day, Safe Link is defeated by "splitting up" the reference to the real URL. Microsoft's implementation then allows the user to navigate to the malicious URL without any restriction. Office 365 is vulnerable with the optional ATP and Safe Link. Office 365 users are also vulnerable if they use Proofpoint, which has similar URL protection. Office 365 users are safe if using the Mimecast service, which obviously handles URLs differently. As a contrast, Gmail users are safe. The researchers are still testing Proofpoint with Gmail, but Mimecast protects users as it does Microsoft users.

Mimecast is a much more expensive option over Proofpoint and requires a minimum monthly purchase. I'm sure Microsoft and Proofpoint will fix this vulnerability, but you can always jump over to Mimecast if you can't wait.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com

John W. Simek
Vice President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Your IT Consultant

Microsoft Safe Links – Not so Safe

Subscribe for More!

Popular Categories

Listen to the Podcast

Disclaimer