Office 365 baseStriker vulnerability


There’s an amazingly simple but effective way to bypass some security scans used by Office 365 hosting and possibly infect a computer.

Called BaseStriker, this trick is so simple.   It’s amazing that any professional security software doesn’t check for it already.  It hides a dangerous link from Microsoft’s own and other security scans, which allows hackers to send bad links to Office 365 customers.

BaseStriker was discovered by Avanan.com.  They report that all Office 365 hosting is vulnerable except if using Mimecast security which checks for this hack.  Gmail is also OK.

How Basestriker works

Anyone with novice HTML knowledge can understand this hack.  We’ll explain how it works just to show how embarrassingly elementary this attack is.

A normal web link has the entire url in the ‘a href’ parameter, for example:

Source: Avanan

Security software can look at the link and, if it’s on a list of bad or dangerous links, block access to it.

It’s always been possible to shortcut a ‘a href’ link by having a ‘base’ web link or domain at the start of a web page or HTML email. Then all you have to do is add the rest of the web link in the body of the page/email.  It’s not commonly done these days but is still a valid HTML command.

The hackers take advantage of this by splitting the web link between a ‘base’ link in the page/email header and the rest of the link in the body of the page.

Source: Avanan

It seems most Office 365 security only looks at the ‘a href’ link itself to decide if the link is dangerous.  Instead it should be looking at the real link (base plus a ‘href’).

You can imagine the hacker’s delight when they realized that a stupidly simple trick would fool Microsoft’s much hyped security!