Hackers are exploiting 0-day baseStriker vulnerability in Office 365

On May 1st, Avanan researchers discovered a 0-day vulnerability called baseStriker in Office 365. An attacker can use this vulnerability to send malicious emails, bypassing Office 365’s account security mechanism.

The code for the baseStriker exploit uses the less commonly <base> HTML tag to create a base URL for relative links.

Developers often declare this tag in the <head> section of an HTML document (web page).
< base href = "https://www.example.com" / >
After the declaration, the developer adds the link to the full text of the base URL, but does not need to write all the code:
< img src = "/images/slider/photo-1.png" / >

 

At the bottom level, the HTML rendering engine (usually the browser) will merge the base URL and relative path with the following:
https://www.example.com/images/slider/photo-1.png

 

The problem is that Office 365 does not support “base” HTML tags. Therefore, the attacker simply sends a rich text message and Office 365 cannot scan and detect the hidden malware code in the URL. The structure of this rich text message is as follows:

Outlook will display the link correctly, which means that the user can click on the link and go to the default page. However, Office 365 security mechanisms such as Advanced Threat Protection (ATP) and Safelinks do not merge basic URLs and relative paths before scanning for links. These systems only scan each section separately.
Avanan researchers tested a variety of e-mail services and found that only Office 365 is vulnerable to baseStriker attacks.
I am using:  Am I Vulnerable to baseStriker?
Office 365  Yes – you are vulnerable
Office 365 with ATP and Safelinks  Yes – you are vulnerable
Office 365 with Proofpoint MTA  Yes – you are vulnerable
Office 365 with Mimecast MTA  No – you are safe
Gmail  No – you are safe
Gmail with Proofpoint MTA  We are still in testing and will be updated soon
Gmail with Mimecast MTA  No – you are safe
Other configurations not here?  Contact us if you want us to help you test it

Only a week after the exposure of the baseStriker vulnerability, researchers have discovered relevant examples of use in the wild. Hackers use this vulnerability to send phishing attacks and distribute ransomware, malware, and other malicious content. Avanan has contacted Microsoft and reported the findings, but Microsoft has not yet given feedback.

Source: bleepingcomputer