A Patched Outlook Flaw Continues to Endanger Email Security
Email has long been a major weak link for security; the Democratic National Committee and Hillary Clinton's campaign were both infamously compromised by Russian hackers through email-related phishing attacks ahead of the 2016 US elections. With the 2020 campaign having been in full swing, a patched flaw in Microsoft Outlook still gives attackers an opening.
First disclosed and fixed in October 2017, the bug is in a little-known Outlook feature called the Home Page. Hackers realized that if they could get someone's account credentials, they could exploit a flaw in Home Page to load malicious content. From there, they could remotely run exploit code to break out of Outlook's defenses and control a device's operating system. The whole attack is inconspicuous, because it looks like legitimate Outlook traffic. Once it's set up, the back door persists even after the compromised device is rebooted.
Though Microsoft originally labelled the vulnerability as low severity, security firms quickly warned that they had seen evidence of nation-state abuse. In October 2019, Microsoft said that Iranian hackers had targeted the Office 365 email accounts of a 2020 presidential campaign. FireEye says that it has continued to see active exploitation of the Home Page vulnerability from a number of different actors.
“We’re seeing defenders not really understand it—this is actually pretty hard to find for security companies as well. It's something we’re seeing pretty often in the wild with no effective mitigations or patch for the exploit.”
Microsoft issued a fix for the bug in 2017, but researchers have found that there are easy ways to essentially undo the fix's registry changes, or route around them, even after the patch is installed.
“There is a patch and it does disable some of the functionality. Mostly it hides the ability to configure a Home Page URL setting... but it can be re-enabled. And even with the patch... there are still other ways to invoke this Home Page behaviour.”
In one example, an intrusion spotted by FireEye wasn't from a nation-state but from a "red team"—hackers hired to find weaknesses. The "attack" came from the penetration testing firm TrustedSec.
“We've been using Outlook Home Page attacks for several years in our red team engagements. Our goal is to use real-world attacks... and Home Page attacks largely go unnoticed in almost every organization.”
FireEye's Carr also points out that defenders may be focused on cloud services like Office 365, while desktop applications like Outlook can add local network exposure. Kennedy of TrustedSec added that while he was glad FireEye raised awareness, he joked about them finding his team's technique.
“I’m still ticked that they found our technique and we lost our code. That’s the game, though, and these types of attacks are just examples of what’s possible from an attacker that has access to a vast amount of resources.”
