Researchers have come across a security flaw in the way Office 365 email filters are designed to handle HTML code which has resulted in hackers getting malicious links into the mailboxes of end users. The hackers used an incredibly simple trick to get malicious URLs to bypass Office 365 mail filters, by splitting up the malicious links by using a <base> URL tag.For example, a spam email campaign is sent out with a URL that is known to be malicious:
Normally, when Office 365 scans the email it identifies the malicious URL and blocks it. However, by splitting the link, the hackers trick Office 365 into looking at the base domain only and unless the whole domain is blacklisted, the spam email with the malicious link will slip through the filters. Worryingly, even Microsoft's Advanced Threat Protection (ATP) and Safelinks systems do not have the ability to scan and merge base URLs, and check they are safe.
According to researchers, the vulnerability will affect everyone using Office 365, except those who are using a third-party email security service such as Topsec Email Security, whose Blended Threats service re-writes every URL contained within every email it filters so that every time an end user clicks on a URL it checks that the URL is safe before serving the web page.
Hackers continue to search to find holes and flaws in services such as Microsoft Office 365 so it is vital you put as many layers of security in place as your budget will allow.