Email has long been a major weak link for security; the Democratic National Committee and Hillary Clinton’s campaign were both infamously compromised by Russian hackers through email-related phishing attacks ahead of the 2016 US elections. With the 2020 campaign in full swing, a patched flaw in Microsoft Outlook is still giving attackers an opening.
First disclosed and fixed in October 2017, the bug is in a little-known Outlook feature called the Home Page, a tab that can function as a user’s home screen and load external content from, say, a company web server or even a public website. In practice, many Outlook users have no idea that the Home Page exists, because they open Outlook to their inboxes. But hackers realized that if they could get someone’s account credentials, they could exploit a flaw in Home Page and manipulate it to load malicious content. From there, they could remotely run exploit code to break out of Outlook’s defenses and control a device’s operating system. The whole attack is inconspicuous, because it looks like legitimate Outlook traffic. Once it’s set up, the back door persists even after the compromised device is rebooted.
Though Microsoft originally labelled the vulnerability as low severity in 2017 and said it had not seen the bug exploited in the wild, security firms quickly warned that they had seen evidence of nation-state abuse, particularly by the Iran-linked hacking group, APT33, and later another Iranian group, APT34. In July of this year, US Cyber Command issued a warning about ongoing exploitation of the vulnerability. In October, Microsoft said that Iranian hackers had targeted the Office 365 email accounts of a 2020 presidential campaign, reportedly the Trump campaign. This particular incident likely didn’t involve the Home Page bug specifically, but it underscores the focus on email hacking. And FireEye says that it has continued to see active exploitation of the Home Page vulnerability from a number of different actors, including nation-states.
“We’re seeing defenders not really understand it—this is actually pretty hard to find for security companies as well,” says Nick Carr, director of adversary methods at FireEye. “It’s something we’re seeing pretty often in the wild with no effective mitigations or patch for the exploit.”
So, about that patch. Microsoft issued a fix for the bug in 2017, which has understandably led to the impression that companies and campaigns needn’t worry about the threat if their Outlook is up to date. The fix essentially reduces Home Page’s functionality through tweaks to the so-called Windows Registry, a database of underlying settings for the operating system and other apps. But researchers have found that there are easy ways to essentially undo these registry changes, or route around them, even after the patch is installed. Microsoft did not return a request from WIRED for comment.
“There is a patch and it does disable some of the functionality,” says Matthew McWhirt, a senior manager at FireEye Mandiant. “Mostly it hides the ability to configure a Home Page URL setting in the Outlook user interface, but it can be re-enabled. And even with the patch, even if you haven’t reversed any of its protections, there are still other ways to invoke this Home Page behaviour. So, there are some additional hardening measures we’ve outlined that we are recommending to defenders.”
FireEye’s post walks through an example of a recent Outlook Home Page exploitation the firm spotted in the wild. It’s a particularly good example of a clever way around Microsoft’s patch that also hints at the potential for many variations—an indication that attackers could continue to rely on this exploit for a long time. But it turned out that this sample intrusion wasn’t perpetrated by a nation-state. Instead it came from a red team, or a group of hackers who have been hired by a company or other organization to find weaknesses in its digital defenses.
The “attack” came from the penetration testing firm TrustedSec, which was working a job.
“We’ve been using Outlook Home Page attacks for several years in our red team engagements,” says Dave Kennedy, TrustedSec’s founder and CEO. “Our goal is to use real-world attacks and adversary capabilities against our customers, and Home Page attacks largely go unnoticed in almost every organization. When you have a Microsoft Office product making modifications to the Office Registry, it’s very difficult for defenders to pick up on because it looks legitimate.”
FireEye’s Carr also points out that in addition to relying on the patch to resolve the issue, defenders may more generally be focused on monitoring and defending an email service like Office 365 in the cloud. But desktop applications like Outlook can add local network exposure to cloud services.
TrustedSec’s Kennedy says he’s glad FireEye is continuing to raise awareness about the Outlook Home Page bug and is proposing concrete additional mitigations. But he jokes that maybe they could have done it without blowing up TrustedSec’s spot in the process.
“I’m still ticked that they found our technique and we lost our code,” Kennedy says, laughing. “That’s the game, though, and these types of attacks are just examples of what’s possible from an attacker that has access to a vast amount of resources.”