A flaw in Office 365 could have been exploited by attackers to send out malicious emails and make them look as if they were coming from a legitimate address.

The issue was discovered by Utku Sen, a Turkey-based security enthusiast known for releasing an open source ransomware called Hidden Tear for educational purposes.

Sen found the issue while testing the spam filters of email services such as Outlook 365, Gmail and Yandex. During his tests, which he conducted using the Social Engineering Email Sender (SEES) tool, the expert noticed that Yandex identified some of his phishing emails as valid and marked them with a green icon after performing a DomainKeys Identified Mail (DKIM) verification.

It turned out that the emails detected as valid came from a spoofed email address and they were forwarded through Outlook 365 to Yandex. Further analysis showed that Gmail also accepted the fake emails forwarded from Outlook as legitimate.

The method only worked with emails coming from a spoofed address. When other domains were used, the fake emails went straight to the spam folder.

Sen was unable to figure out the cause, but Reddit user “ptmb” said the problem was likely that Outlook was signing redirected messages with its own DKIM key.

“That means that instead of having an email with a proof of identity from the original sender, you received an email with a proof of identity from the ‘redirector’,” ptmb explained. “And because Outlook was blindly signing these messages it was redirecting, if the message had a fake from field saying something(at), then after Outlook blindly redirected it, it’d have a genuine DKIM signature from Microsoft by coincidence, even though the original email wasn’t from Microsoft at all.”

Sen informed both Microsoft and Yandex about his findings in September. Microsoft confirmed the issue and patched it in late October, and listed the researcher on its acknowledgements page. Yandex removed the green validation icon, but it’s unclear if it was due to the expert’s report.

Related Reading: Email Is Forever - and It's Not Private

Related Reading: Cisco Patches 9 Flaws in Email Security Appliance

Related Reading: Hackers Can Hijack Dell Email Security Appliances

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Mozilla has released Firefox Focus, an iOS app that lets you browse the Internet without having to worry who’s tracking your online activity.


The app can be used independently, or can be integrated with the existing (installed) Firefox and Safari apps (more details about the usage can be found here).

Firefox Focus blocks ad, analytics, and social trackers, as well as other content trackers (e.g. embedded videos, photo slideshows, and news article embeds that track users). It also blocks some parts of web pages from loading, or it loads them with different fonts (as it also blocks Web fonts). All of this results in faster loading of web content.

But the most important thing about this app is that it makes “private browsing” extremely easy to use.

“If you download Firefox Focus and start to browse, you will notice a prominent ‘Erase’ button in the upper right-hand corner of the screen. If you tap that button, the Firefox Focus app erases all browsing information including cookies, website history or passwords,” Denelle Dixon-Thayer, Mozilla’s Chief Legal and Business Officer, explains.

“Of course, you can erase this on any other browser but we are making it simple here – just one tap away,” she noted. “Burying the tools to clear browsing history and data behind clicks or taps means that fewer people will do it. By putting the ‘Erase’ button front and center, we offer users a simple path to healthy online behaviors — protecting their online freedom and taking greater control of their personal data.”

“We at Mozilla believe that protecting one’s privacy should be as simple as a single tap. Firefox Focus is an experiment to see what happens when we make this radically simple,” she concluded.

Help Net Security

Security researcher Kafeine says one of this week's Microsoft patches addresses a vulnerability it knew of since last year, and may only have pulled the patching trigger after a spate of banking trojan attacks.

The attacks utilised the low-level flaw (CVE-2016-3351) for cloaking purposes among an arsenal of exploits.

The earliest attacks using the since-defeated exploit date back to January 2014, and as recently as July when it was stopped by Kafeine and others.

The most recent of the malvertising campaigns, AdGholas, sent up to a million users every day to the local banking trojans.

The bug was first reported last year and only received a CVE from Microsoft in July when Proofpoint and Trend Micro collaborated on research into the AdGholas and GooNky groups.

Attackers deployed the dangerous Nutrino exploit kit before dropping Terdot.A when they detected UK victims, Gozi ISFB for Canadians, DELoader for Australians, and Gootkit for users browsing from Spain.

The commended Proofpoint malware prober says the low-level bugs fixed this week allowed the now dead Angler exploit kit gang, along with current actors AdGholas and GooNky, to reduce the likelihood their "massive, long running" malvertising campaigns would be detected.

Kafeine says it is an example of why patching small bugs is important.

"The bottom line? As much as possible, software vendors need to maintain comprehensive patching regimens, organisations and users must rethink patching prioritisations, and researchers need to look for new avenues to detect malicious activity," Kafeine says.

The flaw allowed attackers to obtain browser fingerprinting information which could help reveal if virtualised systems were used by potential targets.

Malvertising scams are known for profiling victim machines before deploying payloads in a bid to avoid white hats and extend the amount of time attack campaigns can operate undetected.

Kafeine says researchers found attacks using the flaw back in 2014 after "additional archeological work".

"Threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time,"Kafeine says.

"In this case, the AdGholas group used such a bug specifically to avoid detection by researcher and vendor automated systems and thus stay below the radar even while they conducted a massive, long-running malvertising operation."

The bank trojans were being dropped until Kafeine and fellow researchers reported the attacks to advertising networks whose infrastructure was being abused. ®

Sponsored: Optimizing the hybrid cloud

The Register - Security