A bug in Microsoft Outlook for Mac allowed malicious actors to use the email service to distribute malware targeting Windows users, cybersecurity researchers have found.
Reegun Richard Jayapaul, Lead Threat Architect at Trustwave SpiderLab, revealed a recent malware (opens in new tab) campaign that bypassed a specific email security system. As it turns out - the specially crafted malicious link parsing on the security system is “weak”, he claimed.
As Jayapaul explains, this is not about detection bypass: “it is more about the link parser of the email security systems that cannot identify the emails containing the link.”
Microsoft patches the flaw
Long story short - improper hyperlink translation results in email security systems allowing malicious links through to the end-user.
When using Microsoft Outlook on Mac, if a malicious actor sends the vulnerable vector (for example, http://trustwave.com (opens in new tab)) with hyperlinked file:///maliciouslinnk, the email gets delivered as file:///trustwave.com.
The link file then translates to the http version, after clicking.
It’s this link that’s not recognized by “any email security system”, and as such, gets delivered to the victim as a clickable link.
The report further claims that “multiple email security systems” were impacted, because some were not patched, while others have “logistics issues”. He did not name any specific systems, though, but added that the attack technique remains the same for all of them.
> Windows 11 is getting a fresh new email app (opens in new tab)
> How to reclaim 30 hours of work per week by checking email for seven minutes (opens in new tab)
> This Outlook email update will give your calendar a splash of color (opens in new tab)
The researcher disclosed the vulnerability to Microsoft, and has since been labeled as CVE-2020-0696. The OS maker has issued a patch, and an automatic update.
Email is, by far, the most popular attack vector for most malicious actors. It is used to distribute malware, to phish victims out of their personally identifiable data, as well as payment data. Cybersecurity researchers are constantly warning how having an antivirus (opens in new tab) and firewall will not suffice, and that consumers and professionals should not +click on links, or download email attachments, unless they are absolutely certain in the sender’s good intentions.
- You might also want to check out our list of the best ransomware protection (opens in new tab) right now