Microsoft Outlook bug let hackers bypass email security protections

One Outlook 2021 running on Windows 10 PC
(Image credit: Shutterstock)

A bug in Microsoft Outlook for Mac allowed malicious actors to use the email service to distribute malware targeting Windows users, cybersecurity researchers have found.

Reegun Richard Jayapaul, Lead Threat Architect at Trustwave SpiderLab, revealed a recent malware (opens in new tab) campaign that bypassed a specific email security system. As it turns out - the specially crafted malicious link parsing on the security system is “weak”, he claimed. 

As Jayapaul explains, this is not about detection bypass: “it is more about the link parser of the email security systems that cannot identify the emails containing the link.” 

Microsoft patches the flaw

Long story short - improper hyperlink translation results in email security systems allowing malicious links through to the end-user. 

When using Microsoft Outlook on Mac, if a malicious actor sends the vulnerable vector (for example, (opens in new tab)) with hyperlinked file:///maliciouslinnk, the email gets delivered as file:///

The link file then translates to the http version, after clicking. 

It’s this link that’s not recognized by “any email security system”, and as such, gets delivered to the victim as a clickable link. 

The report further claims that “multiple email security systems” were impacted, because some were not patched, while others have “logistics issues”. He did not name any specific systems, though, but added that the attack technique remains the same for all of them. 

The researcher disclosed the vulnerability to Microsoft, and has since been labeled as CVE-2020-0696. The OS maker has issued a patch, and an automatic update. 

Email is, by far, the most popular attack vector for most malicious actors. It is used to distribute malware, to phish victims out of their personally identifiable data, as well as payment data. Cybersecurity researchers are constantly warning how having an antivirus (opens in new tab) and firewall will not suffice, and that consumers and professionals should not +click on links, or download email attachments, unless they are absolutely certain in the sender’s good intentions. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.