Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag

calendar Dec 10, 2025  ·
Share on: linkedin copy

The exploit involves tricking Outlook for Windows into displaying a fake domain while opening another one. This is achieved by adding a HTML tag with a fake domain and a left-to-right mark (Unicode U+200E). Links within tags will display the fake domain but open the actual domain when clicked on.

Sublime rule (View on GitHub)

 1name: "Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag"
 2description: |
 3    The exploit involves tricking Outlook for Windows into displaying a fake domain while opening another one. This is achieved by adding a <base> HTML tag with a fake domain and a left-to-right mark (Unicode U+200E). Links within <a> tags will display the fake domain but open the actual domain when clicked on.
 4references:
 5  - "https://twitter.com/ldionmarcil/status/1665732725767122946?s=20"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and regex.contains(body.html.raw, 'base.{0,100}\x{200E}/>')  
11attack_types:
12  - "Credential Phishing"
13tactics_and_techniques:
14  - "Evasion"
15  - "Exploit"
16detection_methods:
17  - "Content analysis"
18  - "HTML analysis"
19  - "URL analysis"
20id: "160cc681-dfb3-5820-aa03-37f0289bd0e2"
to-top