Microsoft’s Advanced Threat Protection (ATP) includes a feature called Safe Links. Office 365 Safe Links basically curb all the malicious links coming via phishing emails or documents. Safe Links checks the URL to see if it is blacklisted by Microsoft or any ATP customer or points to any malware. If such malicious link URL appears anywhere it is forbidden for clicking and the users are immediately informed about the same.
However, researchers at Avanan say that hackers have found a way to bypass Office 365 Safe Links by simply splitting the malicious link URL using HTML <base> tag. Here is how they are doing it:
Such an attack is termed as baseStriker attack as it exploits the <base> tag in the header of the HTML page or document. If <base> tag is defined in the header of an HTML page, all subsequent links in the HTML body will take that as starting point for constructing the full URL as shown in the above image.
The researchers tested the baseStriker attack against several configurations and found that “anyone using Office 365 in any configuration is vulnerable,” be it web-based client, mobile app or desktop application of OutLook. What makes these attacks even more interesting is that the most of the URLs used by the hackers to bypass safe links are already blacklisted by Microsoft.
Microsoft has been made aware of these attacks and the company has launched an investigation. “Microsoft has a customer commitment to investigate reported security issues and provide resolution as soon as possible,” a Microsoft spokesperson said. “We encourage customers to practice safe computing habits by avoiding opening links in emails from senders they don’t recognize.”
However, Routeget Technologies Customers are well protected & would not need to bother with this type of email phishing attack. Routeget Technologies helps in identifying spam emails as well as intruders in your system and take preventive measures. The firewalls are well equipped to keep your organization safe, up and running.