Monday, February 17, 2025
HomeComputer SecuritybaseStriker - 100 Million Email Users are Vulnerable Critical Office 365 Zero-day...

baseStriker – 100 Million Email Users are Vulnerable Critical Office 365 Zero-day Flaw

Published on

SIEM as a Service

Follow Us on Google News

A new security flaw uncovered in Office 365 dubbed baseStriker puts 100 Million Email Users at risk. With this vulnerability, attackers can bypass all the Microsoft security services including its advanced services like ATP, Safelinks, etc.

The traditional HTML email with malicious link would be blocked by Microsoft security, but hackers could bypass their security by splitting them into two snippets of HTML: a base tag and a regular href tag.

Security researchers from Avanan identified the critical vulnerability in Microsoft Office 365 email service on 5/1/2018. The name baseStriker indicates the method used by hackers used to leverage the vulnerability.

https://youtu.be/rOmFuC4rLJY

How the baseStriker attack works

The normal phishing email would be blocked when they looked up against the know badlinks and with the premium services like ATP replaces the links into safelinks.

Normally, a malicious <a href="https://bit.do/ee9mr"?link</a> is blocked

By using baseStriker method attackers can present the same link to the user bypassing the email filters as they are not handling the <base> HTML code correctly.

baseStriker

Attackers split the URL into two snippets of HTML: a base tag and a regular href tag. office 365 scan only the URL in the base domain and ignores later part of the domain that presents in the rest of the body.

Also Read Microsoft Added Ransomware Protection, Recovery & Email Encryption For Office 365 Users

According to Avanan researchers “we have only seen hackers using this vulnerability to send phishing attacks, but it is also capable of distributing ransomware, malware and other malicious content”.

Are you Vulnerable to baseStriker

They have tested the vulnerability with various environments, according to researchers “anyone using Office 365 in any configuration is vulnerable”. Gmail users are not vulnerable.

I am using: Am I Vulnerable to baseStriker?
Office 365 Yes – you are vulnerable
Office 365 with ATP and Safelinks Yes – you are vulnerable
Office 365 with Proofpoint MTA Yes – you are vulnerable
Office 365 with Mimecast MTA No – you are safe
Gmail No – you are safe
Gmail with Proofpoint MTA We are still in testing and will be updated soon
Gmail with Mimecast MTA No – you are safe
Other configurations not here? Contact us if you want us to help you test it

Mitigations

Hackers abusing this vulnerability in wide to launch phishing attacks and still there is no fix for this vulnerability.

It is recommended to have two-factor authentication enabled to avoid account take over.

Avanan reported the vulnerability on 5/2/2018 and Microsoft not yet commented about when the patches to be released addressing this vulnerability.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection

Ransomware gangs are accelerating their operations, with the average time-to-ransom (TTR), the period between...

Stealthy Malware in WordPress Sites Enables Remote Code Execution by Hackers

Security researchers have uncovered sophisticated malware targeting WordPress websites, leveraging hidden backdoors to enable...

Xerox Printer Vulnerability Exposes Authentication Data Via LDAP and SMB

A critical security vulnerability in Xerox’s Versalink C7025 Multifunction Printer (MFP) has been uncovered,...

New XCSSET Malware Targets macOS Users Through Infected Xcode Projects

Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS malware, marking...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Xerox Printer Vulnerability Exposes Authentication Data Via LDAP and SMB

A critical security vulnerability in Xerox’s Versalink C7025 Multifunction Printer (MFP) has been uncovered,...

CISA Warns of Active Exploitation of Apple iOS Security Flaw

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory warning of...

NVIDIA Container Toolkit Vulnerable to Code Execution Attacks

NVIDIA has issued a critical security update to address a high-severity vulnerability discovered in...