Study Highlights the Difficulty of Securing Outlook from Exploits

Highlights:

• The study breaks down into three categories: embedded malicious hyperlinks, attachments carrying malware, and more specialized attack vectors.
• The third category is intriguing, involving attacks that occur when a user reads the file without clicking, often known as a ‘preview pane’ attack, where the user passively previews the message.

Haifei Li, a Principal Vulnerability Researcher at Check Point Software Technologies Ltd., delves into Microsoft Outlook exploits in a recent blog post. This exploration offers insights valuable to both users and security managers.

Li categorizes this assortment into three segments: embedded malicious hyperlinks, malware-laced attachments, and more intricate attack vectors. Many of these instances have undergone personal investigation by Li, utilizing the latest versions of a Windows Outlook client and Exchange servers.

Because of its widespread use, Outlook exploits—including some of the older ones that haven’t been carefully patched or where new variations come into play—continue to make headlines. In a case recently made public on Bleeping Computer, state-sponsored hackers from Russia took advantage of a vulnerability fixed in March.

Malicious hyperlinks belong to the first category and are the basis for all phishing emails, as well as other vectors like SMS text messages. Li wrote, “For this attack vector, the attacker basically uses emails as a bridge to perform web-based attacks, whether they are social-engineering-based phishing attacks, browser exploits, or even highly technical browser zero-day exploits.” This implies that all a user needs to do is click the link to launch a web browser, which is where the exploit starts.

Users are well-acquainted with the second type of attachment, where the exploit’s success hinges on whether a user clicks on the attached file once or multiple times. Outlook identifies specific files as potentially unsafe or risky file types, and Microsoft provides several recommendations on handling them more securely.

Li outlines multiple scenarios based on the type of file attached, where it came from, and the security measures Microsoft has in place to stop malware infections. Li distinguishes between previewing the file and simply clicking on it to launch the related application directly. Li also has a very comprehensive collection of use cases. This is the main content of Li’s post, which security managers may find helpful to read over and comprehend the different modalities.

The third category introduces an intriguing dimension. Such attacks occur when a user reads the file without clicking on any elements, often termed a “preview pane” attack, as the user passively previews the message.

Li formulates a scoring system for each variant of Outlook attacks. “When we assess the risk for an exploit delivered via the Outlook attack vectors, we need to assess the whole picture. We need not just consider the Outlook attack scenario discussed in this paper, but also the exploit itself, including the difficulty of developing the exploit,” he wrote.

This highlights the complexity of securing Outlook. Understanding the connections between the foundational operating system—whether it’s Windows or another platform—the default web browser and how a user engages with these elements is challenging. This complexity contributes to attackers successfully delivering malware to a user’s device.