Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag
The exploit involves tricking Outlook for Windows into displaying a fake domain while opening another one. This is achieved by adding a
Sublime rule (View on GitHub)
1name: "Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag"
2description: |
3 The exploit involves tricking Outlook for Windows into displaying a fake domain while opening another one. This is achieved by adding a <base> HTML tag with a fake domain and a left-to-right mark (Unicode U+200E). Links within <a> tags will display the fake domain but open the actual domain when clicked on.
4references:
5 - "https://twitter.com/ldionmarcil/status/1665732725767122946?s=20"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 // this regex contains a Unicode U+200E character (may not be visible in many clients)
11 and regex.contains(body.html.raw, 'base.{0,100}/>')
12attack_types:
13 - "Credential Phishing"
14tactics_and_techniques:
15 - "Evasion"
16 - "Exploit"
17detection_methods:
18 - "Content analysis"
19 - "HTML analysis"
20 - "URL analysis"
21id: "160cc681-dfb3-5820-aa03-37f0289bd0e2"