How Browser Features Easily Become Security Flaws
We train our users to always hover over links in emails and to validate the domain where the links points to. This can’t be trusted if you are using Microsoft Edge to view your emails in Office 365.
Recently I stumbled upon an email that gets sent from Outlook when the user wants to share their calendar. The email piqued my interest when I found out that the button in that email had fancy CSS hover effects and it matched its colour to my Office 365 theme. HTML and CSS in emails are restrictive and everything remotely fancy will not work.
This might not sound like a big deal to you, but for someone who writes phishing emails for a living, this is pretty interesting. I quickly found out that I can control the URL and Chrome won’t resolve it, so you can’t see where the button takes you. This is nothing new as HoxHunt has been training its users to spot this kind of attacks on Gmail for a while now. I started looking at this using Edge. A few HTML email iterations later I had an email where a malicious hacker could define a totally different, trusted domain than were the button would really resolve to. Check it out in the video below.
This is really good for malicious actors trying to get you to visit an URL and really bad for users viewing emails on Office 365 with Edge. If you can’t validate the domain by hovering over it, you need to be vigilant on every email. This is best achieved by changing your behaviour around emails completely.
HoxHunt has a wide variety of phishing emails and our users will be the first ones to detect and report phishing attempts using methods like these.
HoxHunt has reached out through the Microsoft bug bounty program, which sent confirmation that this is not a bug, but actually by design.