Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL enquiry@satisnet.co.uk
+44 (0) 1582 434320

baseStriker Vulnerability - Office 365

baseStriker Vulnerability - Office 365

baseStriker Vulnerability - Office 365

Office 365, often seen as the bastion of hope for business office activities, has recently seen a vulnerability thought to be the “largest ever” flaw in the Office 365 platform.

Known as baseStriker, this vulnerability is a Zeroday exploit that enables Threat Actors to bypass security scans of links within 365 itself. It was discovered on the 1st of May 2018 by security researches at Avanan.

Basic concepts

baseStriker derives its name from the “base” HTML tag. This tag is rarely used these days, but it is typically declared within the head of a HTML document, and serves to act as a URL base within the document itself, and is used as thus;

A website would declare a base URL as thus;
< base href = https://example.com / >

Once declared, developers can include links to content hosted on the base URL without typing the whole thing, as thus;
<img src = “/images/slider/photo1.png” / >

Behind the scenes, the HTML rendering engine, typically your web browser, tacks the two together to generate a fully-qualified URL.

How it works

Office 365 doesn’t support the base tag, given the low usage of it. Given this, attackers will craft an email using Rich-text-formatted emails with the below structure;

<!DOCTYPE html>
<html>
<head>
     <base href=https://bit.do>
</head>
<body>
by
splitting the URL, the <a href=”ee9mr”> link</a>  gets through
</body>
</html>

Outlook will render the document correctly, and create a clickable link which will land the user on the intended page. Advanced Threat Protection (ATP) for Office 365 do not merge the base URL and relative path together before the link is scanned, scanning each part separately.

Am Using? Am I Vulnerable?
Office 365 Yes
Office 365 with ATP and Safelinks Yes
Office 365 with Proofpoint MTA Yes
Office 365 with Proofpoint MTA No, you're safe
Gmail No, you're safe
Gmail with Proofpoint MTA Still in testing
Gmail with Mimecast MTA No, you're safe

(Cimpanu, 2018)

Bibliography

Cimpanu, C. (2018, May 8). Office 365 Zero-Day Used in Real World Phishing Campaigns. Retrieved from Bleeping Computer: https://www.bleepingcomputer.com/news/security/office-365-zero-day-used-...