A new zero-day vulnerability known as baseStriker allows miscreants to send malicious emails that bypass security systems on Office 365 accounts.

Discovered last week, on May 1, 2018, by security researchers from Avanan, baseStriker is a flaw in how Office 365 servers scan incoming emails.

The HTML tag at the center of baseStriker

At the center of this vulnerability is the < base > HTML tag. This is a seldom used tab, but developers declare it in the < head > section of an HTML document (web page), and its purpose is to establish a base URL for relative links.

For example, a website might declare a base URL like this:

< base href = "" / >

Once declared, developers can include links to content hosted on the base URL without typing the whole thing, like so:

< img src = "/images/slider/photo-1.png" / >

Under the hood, the HTML rendering engine (usually a browser) will merge the base URL with the relative path and come with:

Office 365 doesn't support the "base" HTML tag

The problem, according to Avanan, is that Office 365's security systems don't appear to support base URLs.

An attacker can simply send out a rich-text-formatted email with the following structure and Office 365 won't be able to scan and detect any malware hosted on the URLs.

baseStriker attack code

Outlook will render the link correctly, meaning the user will be able to click on it and land on the intended page.

But Office365 security systems like Advanced Threat Protection (ATP) and Safelinks do not merge the base URL and the relative path together before they scan the link —scaning each part separately.

Avanan says it tested various email services but found that only Office 365 to be vulnerable to baseStriker attacks.

I am using:  Am I Vulnerable to baseStriker?
Office 365  Yes - you are vulnerable
Office 365 with ATP and Safelinks      Yes - you are vulnerable
Office 365 with Proofpoint MTA  Yes - you are vulnerable
Office 365 with Mimecast MTA  No - you are safe
Gmail  No - you are safe
Gmail with Proofpoint MTA  We are still in testing and will be updated soon  
Gmail with Mimecast MTA  No - you are safe
Other configurations not here?  Contact us if you want us to help you test it  

baseStriker used in the wild

But baseStriker isn't just a random vulnerability that researchers found after weeks of pen-testing. Avanan says it discovered baseStriker as part of real-world attacks.

"So far we have only seen hackers using this vulnerability to send phishing attacks, but but it is also capable of distributing ransomware, malware and other malicious content," Avanan's Yoav Nathaniel wrote in a report published today.

Nathaniel says Avanan contacted and warned Microsoft of their findings, but the company did not provide feedback on when it would fix the issue. Microsoft is scheduled today to release the Patch Tuesday security updates for the month of May 2018, albeit is unclear if the company had enough time to address baseStriker.

UPDATE [May 10, 2018]: Ryan Kalember, SVP of cybersecurity strategy at Proofpoint, has provided the following statement regarding the attack, revealing that it can detect this type of emails, but detection depends on how customers configure their servers:

"We absolutely have the ability to block base URLs on our gateways for concerned customers – that said, there is legitimate mail that uses the technique (including from banks) so this may not be the right choice for every organization. While Proofpoint Threat Operations has not identified significant usage of the technique by threat actors in the wild, we employ many layers of defense against malicious email content. URL reputation checks and URL rewriting are only one of a large set of analysis techniques used by Proofpoint’s advanced threat analytics suite, which work together to determine the potential maliciousness of an email. We will continue to monitor for the active use of this technique and can block base tag usage for concerned customers."

Related Articles:

Microsoft's Background Blur for Microsoft Teams is now Generally Available

0Day Windows JET Database Vulnerability disclosed by Zero Day Initiative

Exploit Published for Unpatched Flaw in Windows Task Scheduler

Temporary Patch Available for Recent Windows Task Scheduler ALPC Zero-Day

Windows 10 Cumulative and Compatibility Updates Released