The dark world is changing its attack techniques every day. As far as the Phishing attack is the concern, many users are already aware of the traditional attack method and they are also capable of handling them to some extent. The security tools on the other hand also help significantly by their prevention mechanism before the phishing emails land upon user’s mailbox.
Now, a new major security flaw has been uncovered on Microsoft Office 365 called ‘baseStriker’, which is capable of completely bypassing Microsoft’s security, including its advanced services - ATP, Safelinks etc.
The ‘base’ in baseStriker:
The HTML <base> tag specifies the base URL/target for all relative URLs in a HTML document and there can be at maximum one <base> element in a HTML document, and it must be inside the <head> element.
Look at the below two HTML scripts to understand the use of ‘base’ tag.
HTML without base tag:
The above script will be processed very normally. The processing engine will directly fetch the link written inside body tag and forward the request further.
HTML with ‘base’ tag:
On processing this request, the above two components will be merged i.e. the ‘base’ and its ‘relative path’ and processed as “https://www.mywebsite.com/images/ myimage.gif”.
What is baseStriker Attack?
Now, it is possible to craft a malicious link by utilizing the above HTML ‘base’ tag feature. An attacker will split the malicious link – putting the base URL into ‘base’ tag and another component into HTML body. On processing such request, if the engine ignores the ‘base’ and only examine the HTML body, will end up processing the malicious link further.
How Office-365 is vulnerable to baseStriker?
There is a ‘Safe Link’ feature in Office 365 as part of Microsoft's Advanced Threat Protection (ATP) solution. It works perfectly on the traditional phishing URLs. For an incoming email containing any link, it inspects the link for any malicious redirection. The user being sent to a Microsoft owned domain, where it immediately checks the original URL for anything suspicious and warns the user accordingly (if required).
Unfortunately, Office 365 does not support HTML ‘base’ tag inspection. Hence, for an email contains a crafted malicious link (as described above), Office 365 safe link feature ignores the ‘base’ tag and only inspect the URL’s other component that is present inside HTML body. As this component looks harmless, it lands up processing and forwarding the request further without any warning to a user. As the user trusts the internal security (which is unfortunately bypassed already), they will visit the malicious site which could lead to the distribution of ransomware, malware etc.
- Multi-factor authentication – By enabling multi-factor authentication adds another security level limiting the possibility account take over.
- Staying vigilant – The ‘Think again before clicking’ awareness. The general security awareness on Phishing email by inspecting the sender email ID, email content, purpose etc.
Authored By - Magrabur Alam Sofily
TCS Cyber Security Practice