Emails have long been an important security risk. The Democratic National Committee and Hillary Clinton's campaign were jeopardized by Russian hackers through email-related phishing attacks prior to the 2016 US election. And while the 2020 campaign is in full swing, a patched bug in Microsoft Outlook still opens up an attacker.
The bug was first announced in October 2017 and fixed. A tab that acts as a user's home screen and loads external content from, for example, a corporate web server or even a public Web site. In practice, many Outlook users have no idea that the homepage exists because they open Outlook for their inboxes. However, hackers realized that they could exploit and manipulate a bug in the homepage to load malicious content when they were able to retrieve the credentials of an account. From there, they could remotely run exploit code to break out of Outlook's defenses and control a device's operating system. The entire attack is inconspicuous, as it looks like legitimate Outlook traffic. Once set up, the backdoor will persist even after the restart of the vulnerable device.
Although Microsoft originally rated the vulnerability 201
"We see defenders do not really understand this – for security, this is actually a pretty hard-to-find business," says Nick Carr, director of adversary methods at FireEye. "It's something that we see quite often in nature, with no effective remedies or patches for the exploit."
So, about this patch. Microsoft released a fix in 2017 that understandably gives the impression that companies and campaigns need not worry about the threat when their Outlook is up to date. The update essentially reduces the functionality of the homepage by making changes to the Windows Registry, a database of underlying operating system and other apps. Researchers have found, however, that even after installing the patch, there are easy ways to essentially undo or bypass these registry changes. Microsoft has not returned a request from WIRED for a comment.
"There is a patch that disables some of the features," says Matthew McWhirt, senior manager at FireEye Mandiant. "Mostly, it hides the ability to configure a homepage URL setting in the Outlook UI, but it can be re-enabled, and even with the patch there are other possibilities, even if you have not removed any of its protections To access the homepage, we have listed some additional hardening measures we recommend to defenders. "
FireEye's article presents an example of a recent exploitation of the Outlook homepage discovered by the company in the wild. This is a particularly good example of a clever use of the Microsoft patch, which also highlights the potential of many variations – an indication that attackers can rely on this exploit for a long time to come. However, it turned out that this invasion was not committed by a nation-state. Instead, it came from a red team or a group of hackers who were hired by a company or other organization to find vulnerabilities in digital defense.