#BadWinmail – a new APT attack vector threatening email in the enterprise

News by Roi Perez

An exploit has been found in Microsoft's Outlook email suite that can infect a machine by simply having a special email format viewed by the end user.

Security researcher Haifei Li has released a new report which shows a new threat vector affecting Microsoft's email suite Outlook. Named #BadWinmail, Li has shown that a user's machine can be infected simply by opening or previewing a bad email.

According to Li the exploit is currently possible through Transport Neutral Encapsulation Format (TNEF), which is a Microsoft-invented email format supported by Outlook. Sent via an email attachment, if an email has a "Content-Type" field set to "application/ms-tnef", and the filename is “winmail.dat”, the content will execute automatically. 

Li explains that when the value of "PidTagAttachMethod" is set to ATTACH_OLE (6) in the TNEF email, the attachment file (which is a file contained in the winmail.dat file) will be rendered as an OLE object. A malicious winmail.dat which contains an OLE object could allow attackers to “build” a TNEF email and send it to the user and when the user reads the email, the embedded OLE object would be executed automatically.

Theoretically, all the attacker needs to know is the victim's email address which makes this an ideal attack technique for targeted/APT attacks because not only is there is no sandbox on Outlook, the attacker can take control of the victim's computer immediately.

It should be noted that the report Li has released says the Office team has been alerted to the problem and has also fixed the issue in Microsoft's Security Bulletin MS15-131 (CVE-2015-6172), but Li has released the report to urge users to highlight the risk if everything is not patched on end-user machines.

For users who are not able to apply the official patch for some reason, Li advises users to follow the workarounds in MS15-131, where it suggests reading emails with plain text only.

Li is calling it a “killer” exploit-delivery method as usual tricks such as delivering via email attachments or delivering via URLs (in email bodies) require additional user interactions and are protected by various application sandboxes.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews