A security flaw has been identified in Microsoft 365’s anti-phishing tool, potentially putting users at risk of malicious email attacks. The ‘First Contact Safety Tip’ feature in Microsoft Outlook, designed to alert users when receiving emails from new contacts, is impacted.
Mechanism of the Flaw
In Outlook, the ‘First Contact Safety Tip’ feature adds a warning within the email’s HTML body to alert users about new senders. Researchers at Certitude found a way to make this warning disappear using specific CSS rules embedded within the HTML.
By altering the CSS, such as font color and size, background color, and hiding anchor tags, attackers can render the warning message hidden from view, increasing the possibility that users might open harmful emails. Despite the safety tip appearing in the email preview, it vanishes in the email body due to these manipulations.
Spoofing Encrypted Email Indicators
Certitude’s findings also indicate that attackers can fake the icons for encrypted or signed emails in Microsoft Outlook. By adding particular HTML code, emails can falsely appear secure, though differences in formatting may exist, potentially duping less attentive users.
Certitude reported this vulnerability through the Microsoft Researcher Portal. Although Microsoft acknowledged the issue, they mentioned that it does not warrant immediate action and has marked it for future review, noting its relevance to phishing.
Research and Reporting
Researchers William Moody and Wolfgang Ettlinger from Certitude conducted the study. They have not encountered real-world exploitation of this flaw or found a method to exploit HTML to show arbitrary text in emails. Detailed information is available in their report on Certitude’s website.
This vulnerability underscores challenges in securing email communications. The exploit’s success hinges on deceiving at least a few recipients, highlighting the necessity of diligence and continual security updates.
The ‘First Contact Safety Tip’ is a part of the anti-phishing suite within Exchange Online Protection (EOP) and Microsoft Defender for Office 365. Despite this exploit, some CSS rules like display: none and opacity: 0 do not work on the table, but manipulating background and font colors to white effectively hides the alert.
Last Updated on November 7, 2024 3:22 pm CET