Hackers found a way to bypass Microsoft Office 365 Safe Links

Security researchers have just revealed how hackers overcome Microsoft Office 365's Safe Links security feature, used to protect users from malware and phishing attacks.

Safe Links is included in Office 365 software, located in Microsoft's Advanced Threat Protection (ATP) solution, replacing all the URLs in email with Microsoft's secure URL.

When the user clicks on the link in the email, it will be sent to the domain name for Microsoft owned to check the origin of the URL. If it detects malicious code, it will warn the user and if not, will redirect the user to the original link.

However, researchers at Avanan cloud security company have revealed how to use this feature using a technique called baseStriker.

BaseStriker uses the tag in the header of the HTML email, used to define the default URL or URL for related links in the website or text.

If the URL is defined, all related links will then use that URL as a prefix.

Traditional scam

BaseStriker attack type

As shown in the above two pictures, when using a card to separate the infected link, Safe Links cannot identify and replace the link, and the user is still taken to the infected page when clicked.

Researchers have tried using baseStriker and said 'anyone who uses Office 365 with any installation settings is likely to be affected', whether web, mobile or installed on the destkop.

Proofpoint is also likely to be affected. Gmail users or using Office 365 with Mimecast are not.

See more:

1. Microsoft Office 365 version is supported against blackmail
2. Hackers are using new Microsoft Office vulnerabilities to distribute malware
3. Hacker exploited three vulnerabilities in Microsoft Office to spread Zyklon malware