Exploit Makes it Past Office 365 Anti-Phishing Defenses

Blog Post created by user.lD9iBR438k Employee on Jan 3, 2017

Dave Hood is the Director of Technical Marketing focused on Office 365, continuity and the Mimecast API. A Mimecaster since 2015, he’s a frequent speaker and commentator on cloud collaboration.


Recently, a new attack came to light that shows the importance of using a layered security approach to protect against malicious URLs in emails.


We all know email is the preferred vector by many cybercriminals, particularly during the holiday season, as it seems like almost everyone is shopping online and getting bombarded by offers for sales, shipping instructions, and purchase confirmation emails. Attackers take advantage of the flood of this legitimate email as cover, and to catch unsuspecting users when their defenses are down. The particular attack referenced in this blog is, however, new.


Security Week reports the attack was directed at Office 365 business users, and exploits a vulnerability in how anti-phishing and Microsoft Safe Links determine if a URL is safe to visit or not. The goal of the attackers was simple – divert Office 365 users to a fake login page to harvest their usernames and passwords. With their login credentials, attackers would have unfettered access to all Office 365 workloads of that user.


The steps of the attack are to:

  • Create a fake Office 365 login page.
  • Alter the proper URL of the page using a tool named Punycode. Punycode makes it possible to represent International Domain Names (IDNs) with a limited character set. For those who have used the URL shortener, it’s similar in concept.
  • Distribute URLs to Office 365 users using a fake email. In this case, fake FedEx emails were used to maximize opens during this season of giving.
  • Harvest Office 365 credentials as users hit the fake Office 365 page.


The key for this attack was the use of the Punycode to get the URLs past Microsoft’s phishing protection (the attacker no doubt tested this method in advance to make sure it worked, in his own instance of O365).


These types of URLs are usually blocked, but in this case, the malicious links were left accessible because of the failure of the defenses to interpret the links correctly. You can find more details at Security Week.


It’s worth considering these takeaways from this attack:

  1. Defense-in-depth remains a best practice in the cloud, just as it was in an on-premise world. A single code base to protect the over 85M corporate users on Office 365 opens the door to these types of attacks.
  2. It shows what attackers can do when they have easy admin access to Office 365 tenants. In this case, the attackers crafted an email using Punycode that they could test against EOP and ATP, until they were absolutely sure it would work. When they were confident it would get past the defenses, they launched a broader attack.
  3. Armed with malicious URLs hidden from the Office 365 defenses, it’s relatively simple to use MX lookup tools to identify organizations using EOP and Office 365.  Attackers could quickly build a list of organizations to phish.
  4. Attackers are increasingly targeting Office 365 because of its popularity. The article states: “With the growth in Office 365 for corporate email, hackers are shifting their focus. The characteristics of this particular attack disclose the hacker’s intention to deceive Office 365 users into providing their login credentials.”
  5. It’s always worth having defense in place that includes security against email threats such as malicious links (including the type used in this attack), weaponized attachments, and malware-less impersonation attacks.


More posts from Dave Hood:

The specified item was not found. 

The specified item was not found. 

The specified item was not found.