Email security, Application security, Phishing

Microsoft patches Outlook URL formatting bypass

The Microsoft logo is illuminated at its booth at the GSMA Mobile World Congress 2019 on Feb. 26, 2019, in Barcelona, Spain. (Photo by David Ramos/Getty Images)

Microsoft has resealed the seams of its patch of a 2020 Outlook vulnerability after a bypass was found, according to the researcher who found both the original vulnerability and its bypass.

The original vulnerability, CVE-2020-0696, was discovered by Reegun Richard Jayapaul, then of Resecurity and now of Trustwave SpiderLabs. In it, if an attacker wrote a legitimate URL in an email and set the link to a second malformed, malicious URL, it would evade Microsoft's Safelink malicious link detection.

Those malformed links could be formatted by replacing "HTTP://" with a number of patterns, including "file://," or "//". Safelink would not flag the malformed link as a website needing vetting, but would nonetheless automatically fix the malformed URL so it linked out to its intended address.

Microsoft patched CVE-2020-0696 in 2020.

Due to "curiosity and free time during the pandemic" (per Jayapaul's colleague Karl Sigler, SpiderLabs senior research manager), Jayapaul recently revisited the vulnerability. He found a new pattern that evaded detection - replacing "HTTP://" with "HTTP:/://".

Sigler praised Microsoft's response to Trustwave's disclosure.

"Microsoft was responsive and followed up quickly on both the original issue and the secondary bypass," he said.

The bypass is another reminder of timeless email wisdom, said Sigler.

“Don’t click on links in emails unless you know exactly where it leads," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.