Outlook Security Feature Bypass Allowed Sending Malicious Links

A Trustwave researcher has discovered a new technique to completely bypass a security feature of Microsoft Outlook and deliver a malicious link to the recipient.

The new technique, Trustwave SpiderLabs lead threat architect Reegun Richard Jayapaul explains, is a variation of a vulnerability that was initially addressed in February 2020.

Tracked as CVE-2020-0696, the initial Outlook security feature bypass would allow an attacker who uses Outlook for Mac to send specially crafted malicious links to a victim on Outlook for Windows and bypass the email delivery system’s URL protection feature.

Described as the improper handling of URI format parsing, the bug allowed an attacker on Outlook for Mac to create a legitimate link that is hyperlinked with something like file:///malciouslink (and variations such as file:/, file:, \, ///, //, or /) and send it to the victim.

If the victim clicked on the link in Outlook for Windows, the email client automatically translated it to http://malciouslink, resulting in a successful attack. The attack was tested successfully in Outlook with the Safelinks feature enabled, as well as with other email security systems.

“When we send the above vector with hyperlink file:///trustwave.com, the email is delivered on the victim’s ‘Microsoft Outlook for Windows’ as file:///trustwave.com. The link file:///trustwave.com then translates to http://trustwave.com after clicking,” the researcher explains.

He later discovered that the vulnerability could also be exploited if the legitimate link is hyperlinked with “http:/://maliciouslink”, as the email system will strip the “:/” and deliver the link to the victim as “http://maliciouslink.” This attack works on both the Windows and macOS Outlook clients.

“This secondary bypass method was fixed by Microsoft during the summer of 2021, and the new update makes the URL accessible or proxied through Safelinks,” Jayapaul concludes.

Microsoft patched the vulnerabilities with client-side fixes and Outlook is automatically updated by default. However, if users have disabled automatic updates and haven’t manually updated Outlook, the method still works.