Microsoft Outlook has a lot of attack vectors under everyday conditions. An analysis by Check Point Research (CPR) shows the attack routes that cyber attackers use. This is particularly interesting for small and medium-sized companies – SMEs.
Check Point Research (CPR), Check Point's threat intelligence division, has published a detailed analysis of the desktop application Microsoft Outlook, linked to the Microsoft Exchange Server, which provides a deep insight into attack vectors. The 2021 version under Windows with updates from November 2023 was examined in particular. Of course current security gaps also apply to keep in mind.
Three main ways to attack MS Outlook
The analysis, conducted in factory settings and in a typical corporate environment, shows three main attack vectors, taking into account typical user behavior such as clicking and double-clicking: hyperlinks, attachments and advanced attacks (which include reading emails and special objects). Being aware of these common methods used by hackers is crucial to understanding and mitigating email communication vulnerabilities.
Hyperlinks
This simple but effective attack involves sending emails containing fraudulent hyperlinks. They lead to phishing sites, can exploit browser vulnerabilities, or even trigger sophisticated zero-day attacks. The risk lies primarily in the browser used, not in Outlook. Users are advised to use robust browsers and be wary of phishing sites.
Email attachments
This method takes advantage of the common practice of opening email attachments. The threat level depends on the application associated with the attachment file type on Windows. After double-clicking, Outlook automatically opens the file with the designated Windows program. Although Outlook blocks recognized (!) file types marked as unsafe and requires a confirmation that requires two clicks for unclassified types, users should be very careful whether they actually press the “Open” button when receiving attachments from unknown sources.
Advanced methods
CPR has identified two attack vectors that go beyond common methods:
Reading emails: The attack, known as “Preview Window,” is dangerous when users read their emails in Outlook. The threat comes from processing various email formats, such as HTML and TNEF. It is therefore recommended that you configure Outlook to display emails as plain text only, as images and links will not be displayed, which may reduce user experience but increases security.
Special objects: This vector exploits specific zero-day vulnerabilities in Outlook, such as CVE-2023-23397. Hackers can abuse Outlook by sending a compromised “reminder” object, with the attack being carried out by simply opening Outlook and connecting to the email server. It is important to mention that the user does not even have to read this email to trigger the attack. This underscores the critical importance of timely installation of updates and careful use.
A comprehensive technical analysis of the attack vectors can also be found online in the English-language article.
More at Checkpoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.