We train our users to always hover over links in emails to validate the domain where the links point to. This can’t be trusted if you are using Microsoft Edge to view your emails in Office 365.
Recently I stumbled upon an email that was sent from Outlook when the user wants to share their calendar. The email piqued my interest when I found out that the button in that email had fancy CSS hover effects and it matched its color of my Office 365 theme. HTML and CSS in emails are restrictive and everything remotely fancy will not work.
This might not sound like a big deal to you, but for someone who writes phishing emails for a living, this is pretty interesting. I quickly found out that I can control the URL and Chrome won’t resolve it, so you can’t see where the button takes you. This is nothing new as Hoxhunt has been training users to spot this kind of attack on Gmail for a while now. I started looking at the message using Edge. A few HTML email iterations later I had an email where a malicious hacker could define a totally different, trusted domain than where the button would really resolve to.
This is really good for malicious actors trying to get you to visit an URL and really bad for users viewing emails on Office 365 with Edge. If you can’t validate the domain by hovering over it, you need to be vigilant about every email. This is best achieved by changing your behavior around emails completely.
Hoxhunt has a wide variety of phishing emails and our users will be the first ones to detect and report phishing attempts using methods like these.
Hoxhunt has reached out through the Microsoft bug bounty program, which sent confirmation that this is not a bug, but actually by design.