Hackers Discover New Way to Bypass Microsoft’s Office 365 Security Protocols
Hackers have discovered an innovative method of getting those malicious URLs in their emails past Office 365’s security protocols. This was first revealed by Avanan, a company that deals in internet security. Avanan says that cybercriminals are now using a <base> tag in the HTML header employed with a URL to by-pass security and infect a computer with malware.
Officials at Avanan explained further. “At one time, email clients did not support the <base> tag, so every link needed to be an absolute URL. Support for relative URLs in email is a recent development and the behavior is client dependent. Older email clients will ignore the <base> tag, but web-based email clients, recent desktop clients and most mobile apps will now handle the <base> tag and recombine the URL into a clickable link.”
How Microsoft Safe Links work
Office 365’s Advanced Threat Protection provides a feature called “Safe Links” that compares a link found in an email against those on a blacklist. This feature was designed to catch and stop a malicious link. It was working well for all MS products until hackers discovered this workaround.
The new technique has been dubbed “baseStriker” and it’s aimed at those using Microsoft Outlook. Malicious messages can now bypass the filters included in Microsoft products using the <base> tag.
The new baseStriker program splits the malicious URL so that Microsoft’s product, Safe Links, cannot detect that it points to a malicious URL. Safe Links checks the base domain, ignoring the rest, thereby allowing the user to move on to the phishing site. A few security solutions do protect users against these new cyber-threats, including Mimecast and Proofpoint.
As part of Microsoft’s Office 365 Advanced Threat Protection (ATP), Safe Links was designed to provide a strong layer of protection against malicious links embedded in documents and emails. Microsoft diligently updates the software so that it consistently protects against the latest cyber threats. The software works by determining if a link is malicious, then replacing the bad link and alerting the user. Up to now, ATP has been considered state-of-the-art protection against phishing scams.
Microsoft investigation underway
Officials at Microsoft were contacted by Security Week and they issued a brief statement that said, “We encourage customers to practice safe computing habits by avoiding opening links in emails from senders they don’t recognize.” They also said they were investigating the claims about the new hack.
In the meantime, all security experts discourage users from clicking links found in emails—even if they seem to be from a reliable source. Best Practice for internet security is to always navigate to a web page the old-fashioned way. Open a new browser page and type in the web address. Get in the habit of glancing up to the browser line and making sure it says what it should. Periodic security awareness training is also recommended. This is a good way to remind users about the many phishing scams and malware that constantly threaten users.
Other email clients may be vulnerable
The baseStriker hack may be used in other email programs as well. This has caused all email service providers to begin checking to make sure their security protocols are still intact and working as expected. This is a timely reminder to everyone that crooks are constantly searching for any vulnerability they can take advantage of. New types of malware, worms, viruses, and ransomware are developed each year. Experts believe that Gmail, along with a few other email clients already have built-in protection for splitting the URL and will not be at risk.
Better security training for employees
Though all software developers are now working toward shutting down cybercriminals, every type of cyber defense utilizing technology has its weaknesses. The best methods of cybersecurity usually involve training employees about what to look for and remind them often that hackers never take a break from their work.
A new product called Second Chance offers users a way to “roll back” a decision to click a suspicious link. If the user thinks they may have clicked a bad link in a phishing email, now they can stop the process from moving forward. The software checks out any potentially unsafe link the moment you click on it. Then it informs you that you may be navigating to an unsafe website. You can then abort your actions and return to safety. While products like this do help, there are a flood of new worms, ransomware, malware, and phishing scams developed each year by cybercriminals.
Why hackers always seem to be ahead of the game
Many hackers are now backed by governments the size of China or North Korea, so they have unlimited resources to work with. A Newsweek article reports that Chinese hackers have stolen billions of dollars’ worth of secrets and data from businesses and individuals all over the world. Russia and North Korea are in second and third place when it comes to cyber-theft.
The Newsweek article states that Chinese cyber-aggression toward the United States has evolved rapidly over the last few years. Chinese hackers represent a growing threat to world economies due to their disruptive nature. Today’s battlefield is no longer on actual ground using weapons and artillery. The war is being fought online—on the internet where everyone’s data is sometimes exposed to vast criminal enterprises.