Shulou(Shulou.com)12/24 Report--

Background

In the digital age, people communicate mainly through e-mail, so the security of e-mail platform is very important. Since various AI tools have been launched, the difficulty and cost of phishing email attacks have been greatly reduced, resulting in a new high in the number of such attacks and victims' losses. In 2022, there were more than 20, 000 "commercial e-mail intrusions" in the United States, resulting in losses of nearly $2.7 billion. However, in the first quarter of 2023 alone, there have been nearly 40,000 similar attacks in the United States. In the third quarter of 2023, China's domestic enterprise mailbox users received more than 80 million phishing emails, a year-on-year increase of 47 percent and a month-on-month increase of 23 percent. These figures are undoubtedly warning enterprise IT managers that if the security of the enterprise mail system is neglected, the consequences will be very serious. Recently, Check Point Research conducted a comprehensive analysis of the widely used e-mail client Outlook in Microsoft Office, revealing three main attack vectors: common, normal, and advanced. By analyzing various attack vectors against Outlook in a typical enterprise environment, Check Point will examine the security risks that may be brought about by daily email operations from the perspective of security research.

Note: the research described in this article is conducted in a typical / default Outlook + Exchange Server environment and on the latest Outlook 2021 (Windows desktop version) with security updates as of November 2023.

Common: hyperlink attack vector

In this attack vector, the attacker sends an email containing a malicious Web hyperlink. Once these links are clicked, users are directed to phishing sites, launch browser exploits, and even trigger zero-day exploits using complex technologies. Simple as it may seem, most of the security risks come from browsers rather than Outlook itself. Outlook puts usability first and believes that it is impractical to confirm every click of a hyperlink. Therefore, users should use reliable browsers and guard against phishing attacks.

Normal: attachment attack vector

An attacker can take advantage of the normal behavior of a user opening an email attachment. When the user double-clicks the attachment, Outlook attempts to invoke the default associated application for that file type in Windows. Therefore, the security risk depends on the robustness of the registration application of the attachment file type. If the file type is marked as unsafe, Outlook blocks it. For unclassified file types, the user will be prompted to click twice to confirm. Therefore, users must be careful not to click the "Open" button easily for attachments from untrusted sources.

Advanced: email viewing and special object attack vector

Email View attack Vector this carrier (also known as a "preview pane" attack) poses a threat when users view email in Outlook. Vulnerabilities may exist when handling different email formats such as HTML and TNEF. To enhance security, it is recommended that Outlook be configured to read-only plain text emails, but doing so may affect usability because links and pictures may not be visible in such plain text emails.

Outlook special object attack vector

This advanced attack vector exploits zero-day vulnerabilities, such as CVE-2023-23397. An attacker can invade Outlook by sending a malicious "reminder" object, thereby triggering a vulnerability when a user opens Outlook and connects to an email server. It is worth noting that the victim does not even have to check his email to trigger the attack. This highlights the importance of timely security updates and careful operation.

Conclusions and preventive measures

To sum up, it is necessary to take more measures to protect Outlook users. Users should avoid clicking on unknown links, carefully open attachments from untrusted sources, and always ensure that the Microsoft office suite is upgraded to the latest version and update. More importantly, IT decision makers should consider integrating the mail system into the overall security policy management system. All the attack vectors revealed above can be effectively monitored and protected with Check Point solutions, including Check Point email security and collaboration security solutions. Harmony Email & Collaboration provides comprehensive protection for Microsoft 365, Google Workspace, and all collaboration and file sharing applications. This solution is designed for cloud email environments and is the only solution that can prevent (not just detect or respond) threats from invading your inbox.

Harmony Endpoint provides comprehensive endpoint protection with the highest level of security, and XDR/XPR can quickly identify the most complex attacks by correlating events across the entire security asset and combining behavioral analysis, real-time proprietary threat intelligence from Check Point Research and ThreatCloud AI, and third-party intelligence.

Threat Emulation and Check Point gateways provide superior security over any next-generation firewall (NGFW). These gateways are designed for zero-day security protection, with more than 60 innovative security services, and are the best choice for defending against fifth-generation network attacks. At the same time, Check Point Research has been actively monitoring online attacks related to Outlook and email. As a leading security company, Check Point is committed to continuously developing innovative detection and protection technologies for customers around the world.

To learn more about these attack vectors, see the full report on the Check Point Research blog.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.