sublimemediumRule

Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag

The exploit involves tricking Outlook for Windows into displaying a fake domain while opening another one. This is achieved by adding a <base> HTML tag with a fake domain and a left-to-right mark (Unicode U+200E). Links within <a> tags will display the fake domain but open the actual domain when clicked on.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027 T1190 T1203

defense-evasionexecution

Detection Query

type.inbound
and regex.contains(body.html.raw, 'base.{0,100}\x{200E}/>')

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://twitter.com/ldionmarcil/status/1665732725767122946?s=20

Raw Content

name: "Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag"
description: |
  The exploit involves tricking Outlook for Windows into displaying a fake domain while opening another one. This is achieved by adding a <base> HTML tag with a fake domain and a left-to-right mark (Unicode U+200E). Links within <a> tags will display the fake domain but open the actual domain when clicked on.
references:
  - "https://twitter.com/ldionmarcil/status/1665732725767122946?s=20"
type: "rule"
severity: "medium"
source: |
  type.inbound
  and regex.contains(body.html.raw, 'base.{0,100}\x{200E}/>')
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Exploit"
detection_methods:
  - "Content analysis"
  - "HTML analysis"
  - "URL analysis"
id: "160cc681-dfb3-5820-aa03-37f0289bd0e2"