Hackers are exploiting 0-day baseStriker vulnerability in Office 365
On May 1st, Avanan researchers discovered a 0-day vulnerability called baseStriker in Office 365. An attacker can use this vulnerability to send malicious emails, bypassing Office 365’s account security mechanism.
The code for the baseStriker exploit uses the less commonly <base> HTML tag to create a base URL for relative links.
Developers often declare this tag in the <head> section of an HTML document (web page).
After the declaration, the developer adds the link to the full text of the base URL, but does not need to write all the code:
At the bottom level, the HTML rendering engine (usually the browser) will merge the base URL and relative path with the following:
The problem is that Office 365 does not support “base” HTML tags. Therefore, the attacker simply sends a rich text message and Office 365 cannot scan and detect the hidden malware code in the URL. The structure of this rich text message is as follows:
Outlook will display the link correctly, which means that the user can click on the link and go to the default page. However, Office 365 security mechanisms such as Advanced Threat Protection (ATP) and Safelinks do not merge basic URLs and relative paths before scanning for links. These systems only scan each section separately.
Avanan researchers tested a variety of e-mail services and found that only Office 365 is vulnerable to baseStriker attacks.
| I am using: | Am I Vulnerable to baseStriker? |
| Office 365 | Yes – you are vulnerable |
| Office 365 with ATP and Safelinks | Yes – you are vulnerable |
| Office 365 with Proofpoint MTA | Yes – you are vulnerable |
| Office 365 with Mimecast MTA | No – you are safe |
| Gmail | No – you are safe |
| Gmail with Proofpoint MTA | We are still in testing and will be updated soon |
| Gmail with Mimecast MTA | No – you are safe |
| Other configurations not here? | Contact us if you want us to help you test it |
Only a week after the exposure of the baseStriker vulnerability, researchers have discovered relevant examples of use in the wild. Hackers use this vulnerability to send phishing attacks and distribute ransomware, malware, and other malicious content. Avanan has contacted Microsoft and reported the findings, but Microsoft has not yet given feedback.
Source: bleepingcomputer
