A bug in Microsoft Outlook for Mac allowed malicious actors to use the messaging service to distribute malware targeting Windows users, cybersecurity researchers have found.
Reegun Richard Jayapaul, Lead Threat Architect at Trustwave SpiderLab, revealed a recent malware campaign that bypassed a specific email security system. The specially designed malicious link scan on the security system turns out to be “weak”, he claimed.
As Jayapaul explains, it’s not about circumventing detection: “rather it’s about the email security systems’ link scanner which cannot identify the emails containing the link” .
Microsoft fixes the flaw
Long story short, incorrect hyperlink translation results in email security systems allowing malicious links all the way to the end user.
When using Microsoft Outlook on Mac, if a malicious actor sends the vulnerable vector (for example, http://trustwave.com) with a file:///maliciouslinnk hyperlink, the email is delivered as file:///trustwave.com.
The link file then translates to the http version, after clicking.
It is this link that is not recognized by “any email security system”, and as such, is delivered to the victim as a clickable link.
The report further claims that “several email security systems” have been impacted, as some have not been patched, while others have “logistical issues”. He didn’t name any specific systems though, but added that the attack technique remains the same for everyone.
The researcher disclosed the vulnerability to Microsoft and has since been labeled as CVE-2020-0696. The operating system manufacturer has released a patch and an automatic update.
Email is, by far, the most popular attack vector for most malicious actors. It is used to distribute malware, to phish victims for their personally identifiable data, as well as payment data. Cybersecurity researchers constantly warn that having an antivirus and a firewall will not be enough, and that consumers and professionals should not click on links or download attachments from emails unless they are absolutely certain of the good intentions of the sender.