Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag

calendar Aug 21, 2023  ·
Share on: linkedin copy

The exploit involves tricking Outlook for Windows into displaying a fake domain while opening another one. This is achieved by adding a HTML tag with a fake domain and a left-to-right mark (Unicode U+200E). Links within tags will display the fake domain but open the actual domain when clicked on.

Sublime rule (View on GitHub)

 1name: "Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag"
 2description: |
 3    The exploit involves tricking Outlook for Windows into displaying a fake domain while opening another one. This is achieved by adding a <base> HTML tag with a fake domain and a left-to-right mark (Unicode U+200E). Links within <a> tags will display the fake domain but open the actual domain when clicked on.
 4references:
 5  - "https://twitter.com/ldionmarcil/status/1665732725767122946?s=20"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  // this regex contains a Unicode U+200E character (may not be visible in many clients)
11  and regex.contains(body.html.raw, 'base.{0,100}‎/>')  
12attack_types:
13  - "Credential Phishing"
14tactics_and_techniques:
15  - "Evasion"
16  - "Exploit"
17detection_methods:
18  - "Content analysis"
19  - "HTML analysis"
20  - "URL analysis"
21id: "160cc681-dfb3-5820-aa03-37f0289bd0e2"
to-top