Microsoft Outlook bug let hackers bypass email security protections

News
By
published

Don't click on shady email links, Outlook users warned

One Outlook 2021 running on Windows 10 PC
(Image credit: Shutterstock)

A bug in Microsoft Outlook for Mac allowed malicious actors to use the email service to distribute malware targeting Windows users, cybersecurity researchers have found.

Reegun Richard Jayapaul, Lead Threat Architect at Trustwave SpiderLab, revealed a recent malware campaign that bypassed a specific email security system. As it turns out - the specially crafted malicious link parsing on the security system is “weak”, he claimed. 

As Jayapaul explains, this is not about detection bypass: “it is more about the link parser of the email security systems that cannot identify the emails containing the link.” 

Microsoft patches the flaw

Long story short - improper hyperlink translation results in email security systems allowing malicious links through to the end-user. 

When using Microsoft Outlook on Mac, if a malicious actor sends the vulnerable vector (for example, http://trustwave.com) with hyperlinked file:///maliciouslinnk, the email gets delivered as file:///trustwave.com.

The link file then translates to the http version, after clicking. 

It’s this link that’s not recognized by “any email security system”, and as such, gets delivered to the victim as a clickable link. 

The report further claims that “multiple email security systems” were impacted, because some were not patched, while others have “logistics issues”. He did not name any specific systems, though, but added that the attack technique remains the same for all of them. 

Read More

> Windows 11 is getting a fresh new email app

>  How to reclaim 30 hours of work per week by checking email for seven minutes

> This Outlook email update will give your calendar a splash of color

The researcher disclosed the vulnerability to Microsoft, and has since been labeled as CVE-2020-0696. The OS maker has issued a patch, and an automatic update. 

Email is, by far, the most popular attack vector for most malicious actors. It is used to distribute malware, to phish victims out of their personally identifiable data, as well as payment data. Cybersecurity researchers are constantly warning how having an antivirus and firewall will not suffice, and that consumers and professionals should not +click on links, or download email attachments, unless they are absolutely certain in the sender’s good intentions. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

More about security
QR Code

Hackers are targeting Signal with new QR code-linked cyberattack
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)

Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Alyssa Thompson of USA shoots the ball during an the international friendly women's soccer match in the build up to watching the SheBelieves Cup 2025

How to watch SheBelieves Cup 2025: live stream women's soccer tournament online from anywhere, what TV channel, streaming info
See more latest