Just by previewing a message you could trigger the attack
Just by previewing a message you could trigger the attack

Security researchers have discovered a way of making Microsoft Outlook run Visual Basic code and launch a command shell.

According to a blog post by Sensepost, as other forms of attack using Outlook rules were blocked by Microsoft, researchers began looking for other interesting attack vectors.

Etienne Stalmans, senior security analyst at Sensepost, found that Outlook's forms functionality can embed visual basic code and has an engine to process this code that is separate from the macro script engine that is normally disabled by default for security reasons. This means that while macro attacks are blocked, this other engine can be used by attackers.

Stalmans sifted through the forms function and found that by enabling the developer ribbon and selecting ‘design a form', he could hover over the icon which looks like a form and magnifying-glass and get a pop-up message, ‘View Code – Edit the Visual Basic code for a control'. 

“Once you open up the code viewer, you will see a very basic text editor with two options under the script menu, namely Event Handler and Object Browser. That is it, you need to figure out the rest by yourself (unlike the nice VBA editor that ships with Office). Selecting the Event Handler pick the open option and VBScript will be inserted to handle the on_open event for this form,” he said.

He added that when the script editor is closed the form can be run. This is done by using the Run this form button, found right below the View Code button. “Immediately a MsgBox will pop up, along with the new form!” he said.

And this was with macros disabled in Outlook. Having a full VBScript engine available allowed Stalmans to open a command shell and run applications.

To trigger a form remotely, an attacker would have to craft his message carefully.

“To do this through Outlook, you will need to create a form with the same message class as the one you have created on your target's mailbox, and then send an email using that form. Convoluted, I know,” said Stalmans.

He also found some other forms and where they were stored (which was undocumented). Investigations unearthed some hidden features.

“For example, setting the PidTagSendOutlookRecallReport to true would hide the form from the user interface. This means the new form won't show up under custom forms in the new item menu. To discover the new form,  a user would need to go into the advanced options tab in Outlook, navigate to forms, select the inbox and view the list of forms (unlikely),” he said.

He eventually created a form with multiple triggers within an email.

“The payload will be called if the message is read (previewer), opened (not previewed) or if the user attempts to reply or forward the message. This means that the user needs to at least preview the message. 

“Alternatively, you need a slight amount of social engineering, where the attacker needs to either get the user to open the message or to reply to it. A nice side effect is that the user will inadvertently trigger the payload if they try ‘forward' it to the incident response team,” he said.

In a statement, Microsoft said that the technique described in the blog is “not a software vulnerability and can only be leveraged using an account that has already been compromised by another method”.

“We encourage customers to set strong passwords, not share those passwords across multiple services and enable security features such as multi-factor authentication to help keep them protected,” said a spokesperson.

Israel Barak, CISO at Cybereason, told SC Media UK that the researcher is pointing out a “feature” of Microsoft Outlook, that can be leveraged by attackers, and not a product vulnerability per se. “In this particular case, Outlook is providing the described functionality ‘by-design'. Therefore, the researcher was not necessarily ethically obligated to report this as a product vulnerability to the vendor and withhold its publication,” he added.

Rick McElroy, security strategist at Carbon Black, told SC that there's no indication that proper responsible disclosure occurred on this attack.

“That being said, we don't know if the team tried proper disclosure procedures and were ignored by the manufacturer. This has happened in the past,” he said.

“Teams do the research, submit to the vendor and the vendor either ignores the information or refutes the finding. Teams should work as hard as possible to disclose vulnerabilities and give the manufacturer a chance to address the vulnerability first. If you are committed to the defensive side of the house, disclosure is crucial to ensuring systems are patched prior to release of the research.”

Elliott Thompson, security consultant at SureCloud, told SC that the attack requires access to a user's email account, and multi-factor authentication would make gaining this access more difficult. “These measures should be combined with standard protections for blocking phishing attempts and training to reduce password sharing,” he said.