Hackers Figure Out How to Evade Microsoft’s Advanced Threat Protection

Hackers are always in a cat-and-mouse game with the good guys (and gals) as the hackers try to do us in and the good guys try to swat them away.

Microsoft has an add-on to Office 365 called Advanced Threat Protection or ATP.  One of the things that ATP  does is make links inside emails safer by replacing all of the links with a link to a Microsoft filtering service that reviews the links to make sure that they are not malicious.

EXCEPT …

There is a bit of a flaw in their process.  In HTML you can split up the URL into a BASE and a RELATIVE link.  When the link is clicked on the two pieces are glued together to make the full web address.

Apparently ATP does not understand that and, at least for now, the bad guys can get through.

Interestingly, Proofpoint also falls for this attack, but Mimecast does not.  GMail does not seem to fall for this attack either.

So what should you do?

First, don’t let users let their guard down just you have some software in place.  Keep training and keep phishing.  

Second, it is probably worthwhile to let your users know that this attack is in the wild and they should be extra careful.

Finally, whine at Microsoft and ask them when they are going to fix the BASESTRIKER vulnerability.  The more people who complain, the faster it will get fixed.

This is one of the good things about the web.  Since this is a service hosted at Microsoft, all they have to do is fix the service in one place and THE ENTIRE POPULATION OF OFFICE 365 USERS ARE PROTECTED.  That’s pretty neat.

And, I bet, that there are some folks in Redmond or Dublin or some place like that working on the problem right now.  It doesn’t seem like it will be hard to fix.  It will likely be fixed soon.

Information for this post came from The Hacker News.

by