Details have been released on a simple Office 365 hack that incorrectly identifies spoofed emails pretending to be from the Microsoft.com domain as valid. The vulnerability being targeted was privately disclosed by Turkish security researcher Utku Sen, and was patched by Microsoft this month.
According to Sen, the vulnerability took advantage a flaw in Microsoft’s DKIM (DomainKeys Identified Mail) validator used in Outlook 365, part of Microsoft’s Office 365 Web Services suite. Exploiting this weakness, a hacker could use email forwarding tools in Outlook 365 to validate phishing emails that spoofed the Microsoft.com domain. The technique could give bogus emails the appearance of legitimacy and avoid the messages from getting caught in a recipient’s spam filter.
Sen, an application security engineer based in Turkey, said the vulnerability is particularly problematic when used in conjunction with the popular Russian email service from Yandex. That’s because Yandex email recipients who were on the receiving end of the spoofed emails in question, also received green “check” certificates, below, that indicated the emails were authenticated and could be trusted. That green certificate, according to Yandex, indicated: “With a DKIM signature, the email recipient can verify that the message really came from the supposed sender.”
Microsoft and Yandex, considered the Google of Russia, addressed the vulnerability earlier this month.
In Sen’s tests, he used the email phishing tool called SEES (Social Engineering Email Sender). SEES allows you to craft emails with bogus email sender-field data that could be anything, such as MickeyMouse[@]Disney.com, SatyaNadella[@]Microsoft.com or AccountServices[@]Microsoft.com. The catch is, most email services such as Yandex, Google and Yahoo normally catch these types of crafted phishing emails sent from tools such as SEES and send them straight to a spam folder.
However, when Sen configured his Outlook 365 web client to automatically forward spoofed emails to Google, Yandex or any email address, the spoofed email were identified as valid.
Sen theorizes that the culprit was the Microsoft signing domain (onmicrosoft.com) that his Outlook 365 client was using. He believes that typically emails that spoof sender data are sent straight to a recipient’s spam filter because emails lack a valid signature and can’t be authenticated. The problem was tied to the way Outlook 365 was handling forwarded email when the spoofed domain was Microsoft[.]com. Outlook 365 automatically validated those spoofed messages and tricked spam filters into thinking emails were legit.
Since Sen posted a technical explanation of the vulnerability, he updated his analysis with a plausible explanation from a Reddit user who agreed Microsoft’s DKIM validation process was to blame.
“Because Outlook was blindly signing these messages it was redirecting, if the message had a fake from field saying firstname.lastname@example.org, then after Outlook blindly redirected it, it’d have a genuine DKIM signature from Microsoft by coincidence, even though the original email wasn’t from Microsoft at all,” Sen said.
When Sen tried the same technique using email forwarding features in Gmail or Yandex the vulnerability wasn’t present. In Sen’s tests, the vulnerability only worked when used through Outlook 365.
Sen said he identified that problem in September, and by late October Microsoft informed him the vulnerability was fixed. Earlier this month, Microsoft Security Response Center credited Sen for finding the vulnerability. Yandex has since stopped supporting the green DKIM verification certificate shown on “validated” emails, according to Sen.