baseStriker Vulnerability - Office 365
Office 365, often seen as the bastion of hope for business office activities, has recently seen a vulnerability thought to be the “largest ever” flaw in the Office 365 platform.
Known as baseStriker, this vulnerability is a Zeroday exploit that enables Threat Actors to bypass security scans of links within 365 itself. It was discovered on the 1st of May 2018 by security researches at Avanan.
baseStriker derives its name from the “base” HTML tag. This tag is rarely used these days, but it is typically declared within the head of a HTML document, and serves to act as a URL base within the document itself, and is used as thus;
A website would declare a base URL as thus;
< base href = https://example.com / >
Once declared, developers can include links to content hosted on the base URL without typing the whole thing, as thus;
<img src = “/images/slider/photo1.png” / >
Behind the scenes, the HTML rendering engine, typically your web browser, tacks the two together to generate a fully-qualified URL.
How it works
Office 365 doesn’t support the base tag, given the low usage of it. Given this, attackers will craft an email using Rich-text-formatted emails with the below structure;
by splitting the URL, the <a href=”ee9mr”> link</a> gets through
Outlook will render the document correctly, and create a clickable link which will land the user on the intended page. Advanced Threat Protection (ATP) for Office 365 do not merge the base URL and relative path together before the link is scanned, scanning each part separately.
|Am Using?||Am I Vulnerable?|
|Office 365 with ATP and Safelinks||Yes|
|Office 365 with Proofpoint MTA||Yes|
|Office 365 with Proofpoint MTA||No, you're safe|
|Gmail||No, you're safe|
|Gmail with Proofpoint MTA||Still in testing|
|Gmail with Mimecast MTA||No, you're safe|
Cimpanu, C. (2018, May 8). Office 365 Zero-Day Used in Real World Phishing Campaigns. Retrieved from Bleeping Computer: https://www.bleepingcomputer.com/news/security/office-365-zero-day-used-...