A zero-day vulnerability has been discovered in Office 365 that could allow a threat actor to successfully send a malicious email to a victim without being detected by email security systems. Dubbed baseStriker, the vulnerability can be exploited by disguising a malicious link within code using the “< base > HTML tag.” Due to an email filter handling issue, Office 365 security systems fail to render these URLs correctly before scanning, preventing the system from detecting a malicious link and allowing these emails to be delivered to end users. Threat actors have been exploiting this vulnerability through phishing attacks, but researchers believe the flaw could be used to distribute ransomware, malware, or other malicious content. BaseStriker affects all Office 365 configurations and there are currently no patches to address the vulnerability.
The NJCCIC recommends all users and administrators of Office 365 review the Avanan reporton baseStriker, enable multi-factor authentication, and apply necessary patches if and when they become available. The NJCCIC recommends educating end users about this and similar threats and reminding them never to click on links delivered in unexpected or unsolicited emails, especially to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action.