SECURITY RESEARCHERS have uncovered the 'largest ever' flaw in Office 365, which they claim enables hackers to bypass Microsoft's security defences to send malicious emails.
Dubbed BaseStriker by researchers at security firm Avanan, the flaw affects the way that Office 365 servers handle incoming emails.
"We recently uncovered what may be the largest security flaw in Office 365 since the service was created," said researcher Yoav Nathaniel.
"Unlike similar attacks that could be learned and blocked, using this vulnerability, hackers can completely bypass all of Microsoft's security, including its advanced services - ATP, Safelinks, etcetera."
Nathaniel explained that the bug affects the HTML 'base' tag, which developers use to generate a base URL for links throughout an HTML page.
As Mozilla explains, these tags are "used throughout the document for relative URL addresses.
"If this attribute is specified, this element must come before any other elements with attributes whose values are URLs. Absolute and relative URLs are allowed," it explains.
Hence, once a base URL is established, the HTML only needs to specify an extension (such as /office365/image) - for example, for a series of images.
However, according to the Avanan researchers, base URLs are unsupported by Office 365's security systems, which represents a loophole that hackers have started exploiting.
Essentially, they can create rich-text-formatted emails and fill them with a base URL littered with a series of malware-laden extensions, which would slip through Office 365's defences.
"The attacker sends a malicious link, which would ordinarily be blocked by Microsoft, past their security filters by splitting the URL into two snippets of HTML: a 'base' tag and a regular 'href' tag," explained the company.
When a user receives the dodgy email, these links would look genuine. And if they clicked on one, it would take them to the correct page.
But the issue here is that Microsoft's Advanced Threat Protection (ATP) and Safelinks systems do not have the ability to scan and merge base URLs and check them accordingly.
"When scanning this, Office 365 sees the malicious URL, performs a lookup against a list of known bad links, and blocks it. Office 365 Safelink, for customers that purchased ATP, also replaces the URL with a Safelink URL and prevents the end-user from going to the phishing site," it added.
"This email, however, has the same malicious link presented to the end-user but is let through because the email filters are not handling the 'base' HTML code correctly."
Nathaniel explained that the Office 365 is the only email service to be affected by the vulnerability and said that the firm has contacted Microsoft to make it aware of the flaw. µ
The week in Google in brief
Sega hedgehogging its bets
And not a purple duck in sight