Microsoft Outlook bug let hackers bypass email security protections

One Outlook 2021 running on Windows 10 PC
(Image credit: Shutterstock)

A bug in Microsoft Outlook for Mac allowed malicious actors to use the email service to distribute malware targeting Windows users, cybersecurity researchers have found.

Reegun Richard Jayapaul, Lead Threat Architect at Trustwave SpiderLab, revealed a recent malware campaign that bypassed a specific email security system. As it turns out - the specially crafted malicious link parsing on the security system is “weak”, he claimed. 

As Jayapaul explains, this is not about detection bypass: “it is more about the link parser of the email security systems that cannot identify the emails containing the link.” 

Microsoft patches the flaw

Long story short - improper hyperlink translation results in email security systems allowing malicious links through to the end-user. 

When using Microsoft Outlook on Mac, if a malicious actor sends the vulnerable vector (for example, http://trustwave.com) with hyperlinked file:///maliciouslinnk, the email gets delivered as file:///trustwave.com.

The link file then translates to the http version, after clicking. 

It’s this link that’s not recognized by “any email security system”, and as such, gets delivered to the victim as a clickable link. 

The report further claims that “multiple email security systems” were impacted, because some were not patched, while others have “logistics issues”. He did not name any specific systems, though, but added that the attack technique remains the same for all of them. 

The researcher disclosed the vulnerability to Microsoft, and has since been labeled as CVE-2020-0696. The OS maker has issued a patch, and an automatic update. 

Email is, by far, the most popular attack vector for most malicious actors. It is used to distribute malware, to phish victims out of their personally identifiable data, as well as payment data. Cybersecurity researchers are constantly warning how having an antivirus and firewall will not suffice, and that consumers and professionals should not +click on links, or download email attachments, unless they are absolutely certain in the sender’s good intentions. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Outlook
Dangerous Microsoft Outlook flaw could let hackers send out malware via email
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
Microsoft Outlook targeted by new malware attacks allowing sneaky hijacking
A phone sitting on a laptop keyboard with the Microsoft Outlook logo on the screen.
US government warns users to patch this critical Microsoft Outlook bug
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
A pair of hands using a keyboard
Microsoft SharePoint hijacked to spread Havoc malware
Best email services: image of email with one unread message alert
Over 400 million unwanted and malicious emails were received by businesses in 2024
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
The Witcher 4
You're probably not playing The Witcher 4 until 2027 at the earliest, per CD Projekt's latest financial update
DeepSeek
DeepSeek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Two Android phones on a green and blue background showing Google Messages
Google Messages just added a fun upgrade to one of its best chat features
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year