Microsoft Outlook bug let hackers bypass email security protections
A bug in Microsoft Outlook for Mac allowed malicious actors to use the email service to distribute malware targeting Windows users, cybersecurity researchers have found.
Reegun Richard Jayapaul, Lead Threat Architect at Trustwave SpiderLab, revealed a recent malware campaign that bypassed a specific email security system. As it turns out – the specially crafted malicious link parsing on the security system is “weak”, he claimed.
As Jayapaul explains, this is not about detection bypass: “it is more about the link parser of the email security systems that cannot identify the emails containing the link.”
Microsoft patches the flaw
Long story short – improper hyperlink translation results in email security systems allowing malicious links through to the end-user.
When using Microsoft Outlook on Mac, if a malicious actor sends the vulnerable vector (for example, http://trustwave.com) with hyperlinked file:///maliciouslinnk, the email gets delivered as file:///trustwave.com.
The link file then translates to the http version, after clicking.
It’s this link that’s not recognized by “any email security system”, and as such, gets delivered to the victim as a clickable link.
The report further claims that “multiple email security systems” were impacted, because some were not patched, while others have “logistics issues”. He did not name any specific systems, though, but added that the attack technique remains the same for all of them.
The researcher disclosed the vulnerability to Microsoft, and has since been labeled as CVE-2020-0696. The OS maker has issued a patch, and an automatic update.
Email is, by far, the most popular attack vector for most malicious actors. It is used to distribute malware, to phish victims out of their personally identifiable data, as well as payment data. Cybersecurity researchers are constantly warning how having an antivirus and firewall will not suffice, and that consumers and professionals should not +click on links, or download email attachments, unless they are absolutely certain in the sender’s good intentions.
Audio player loading… A bug in Microsoft Outlook for Mac allowed malicious actors to use the email service to distribute malware targeting Windows users, cybersecurity researchers have found. Reegun Richard Jayapaul, Lead Threat Architect at Trustwave SpiderLab, revealed a recent malware campaign that bypassed a specific email security system. As…
Recent Posts
- Samsung may have delayed the next Galaxy S24 Ultra camera upgrades
- The next big game from Clash of Clans developer Supercell launches in May
- Apple might start developing its own AI chips – here’s what that means for Mac lovers
- Zack Snyder’s next big project for Netflix has been revealed, and it isn’t Rebel Moon Part 3
- The EPA’s new power plant pollution rule has a big, gassy hole in it
Archives
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011