Your IT Consultant
Information Technology Blog
by John W. Simek, Vice President of Sensei Enterprises, Inc.
Microsoft Safe Links – Not so Safe
May 9, 2018
It's really, really hard to stay ahead of the bad guys. Just ask Apple how many times it has released a new version of iOS only to have jailbreak code released within days if not hours. Microsoft is one of the latest victims of to be attacked.
Office 365 has a feature that is designed to protect users from phishing and malware attacks called Safe Links, which is a part of Microsoft's Advanced Threat Protection (ATP). Hackers have figured out a way to get around Safe Links. Essentially, Safe Links takes all hyperlinks in a message and converts them to Microsoft controlled URLs. Cloud security researchers from Avanan have revealed how hackers are bypassing Safe Links by using a technique called the "baseStriker attack." BaseStriker attack involves using the <base> tag in the header of an HTML email—which is used to defines a default base URI, or URL, for relative links in a document or web page. Basically, the message code defines a reference point for subsequent URLs. If you're not a programmer, the post on The Hacker News gives a detailed explanation.
At the end of the day, Safe Link is defeated by "splitting up" the reference to the real URL. Microsoft's implementation then allows the user to navigate to the malicious URL without any restriction. Office 365 is vulnerable with the optional ATP and Safe Link. Office 365 users are also vulnerable if they use Proofpoint, which has similar URL protection. Office 365 users are safe if using the Mimecast service, which obviously handles URLs differently. As a contrast, Gmail users are safe. The researchers are still testing Proofpoint with Gmail, but Mimecast protects users as it does Microsoft users.
Mimecast is a much more expensive option over Proofpoint and requires a minimum monthly purchase. I'm sure Microsoft and Proofpoint will fix this vulnerability, but you can always jump over to Mimecast if you can't wait.
E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com