pFragments Microsoft Office exploit resurfaces again
pFragments Microsoft Office exploit resurfaces again

Microsoft's Office 365 has been found vulnerable to an attack methodology that enables malicious links to sneak past most of the product's cyber-security defences by essentially splitting off the dangerous part of the link to it is not spotted.

The cloud-security firm Avanan reported testing this flaw, called baseStriker, against Office 365, Office 365 with ATP and Safelinks, Office 365 with Proofpoint MTA, Office 365 with Mimecast MTA and Gmail and found only the Mimecast and Gmail are protected. Those using the other configurations are all vulnerable. Microsoft and Proofpoint have been informed, Avanan said.

This claim is partially disputed by Proofpoint.

Avana told SC Media, “baseStriker is being used to spread phishing attacks. The vulnerability is being used by hackers to send more effective attacks. This method allows someone to send most any web link through MSFT servers without it getting scanned. This link could point the user to a phishing site or to a file that downloads malware or ransomware.”

BaseStriker is able to penetrate Office 365 by essentially confusing APT, Safelinks or other cyber-defences by splitting and hiding the malicious link using a <base> URL tag. The malicious link is included in an email, but instead of being part of the primary link it is separated as is seen in the two examples provided by Avanan:

Next

“In this example, Office 365 only performs the lookup on the base domain, ignoring the relative URL in the rest of the body. Because only part of the URL is tested, it mistakenly appears to not exist in the malicious URL database and the email is let through,” the report stated.

Avanan said Microsoft and Proofpoint were informed of the issue, which Proofpoint confirmed.  

“We absolutely have the ability to block base URLs on our gateways for concerned customers – that said, there is legitimate mail that uses the technique (including from banks) so this may not be the right choice for every organisation,” Proofpoint's Ryan Kalember, senior VP of cyber-security strategy told SC Media.

Kalember added that Proofpoint has not seen significant use of this attack vector in the wild; it employs many layers of defence against malicious email content including guarding against, URL reputation and URL rewriting.

A Microsoft spokesman said in response to an SC Media query for comment on this issue, "Microsoft has a customer commitment to investigate reported security issues and provide resolution as soon as possible. We encourage customers to practice safe computing habits by avoiding opening links in emails from senders they don't recognise.”

Avanan said there is no fix for this problem, but recommends users implement two-factor authentication. This won't stop malware from being installed, but could resist attempts at credential harvesting by the malicious actors.