Are you one of the 100M Office 365 email users? Recently, we learned about an Office 365 zero day attack used in phishing campaigns called baseStriker.1 Reported by Avanan, a Cloud Security company, this threat bypasses some 3rd party email defenses and more importantly, bypasses Microsoft security defenses due to a flaw in how Office 365 servers scan incoming emails composed in rich-text format when “< base > HTML tags” are used.

How does it work?
Web developers use HTML tags to declare a reference URL; then later in the code, they include links to content hosted on the reference URL without needing to type the whole path. To the user who clicks the link, the browser will merge the base URL with the relative path to make it accessible. This method of coding isn’t widely used, but hackers exploited the HTML tags to deliver malicious emails because they knew that Office 365 does not merge the base URL and the relative path together before it scans the link — instead scanning each part separately and missing the fact that the full URL is actually malicious.


2 Image source

While some 3rd party email security solutions are vulnerable to baseStriker, EdgeWave security analysts have confirmed that EdgeWave ePrism is not vulnerable to this attack.
Bob Crowe, EdgeWave’s SVP of Engineering explains that during preprocessing of messages prior to analysis, EdgeWave recombines any URLs that are broken apart in this fashion prior to malware scanning. Additionally, because human review is part of ePrism’s security layers, an analyst never sees a partial URL when looking over a sample. So current and future customers can rest easy knowing EdgeWave provides comprehensive protection for Office 365 emails.

What can I do to stay protected?
While the security community is waiting for updates from Microsoft, and while the vulnerable email security vendors are scrambling to update their code to better address how https parsers do their job, organizations concerned about their Office 365 security can:

  1. Implement two-factor authentication for user logins. Two-factor authentication won’t stop malware from being installed, but could resist hacker attempts at harvesting user’s login credential.
  2. Continue to train their end users to be aware of phishing emails and be cautious when clicking links inside emails. Users should hover over a link before clicking on it to ensure the display link matches the actual link. In general, if the link isn’t familiar, doesn’t align with the sender’s organization or doesn’t fit the tone of the email, they should avoid clicking on it altogether.