In a digital age where communication is largely facilitated by email, the security of email platforms is of paramount importance. Check Point Research (CPR) recently performed a comprehensive analysis of Outlook, the widely used e-mail client in Microsoft Office, and highlighted three main attack types: obvious, normal, and advanced, concerning typical business environments. The research in question was done on the latest version of Outlook 2021 (Windows desktop version) with the latest security updates installed as of November 2023 in typical/default Outlook + Exchange Server environments.
With this attack vector, attackers send emails containing malicious links.
Simply clicking on these hyperlinks can lead users to phishing sites, launch browser exploits, or even launch highly technical zero-day exploits. Despite its apparent simplicity, the security risks lie in browsers rather than Outlook itself. Outlook prioritizes usability and recognizes that confirming every click on a hyperlink would be impractical. In this context, CPR recommends relying on robust browsers and paying attention to phishing attacks.
Normal: An attachment attack vector
Attackers exploit the common behavior of users who open email attachments. When a user double-clicks an attachment, Outlook tries to invoke the default application for that file type in Windows. The security risk depends on the robustness of the application registered for the attached file type. If a file type is marked as “unsafe”, Outlook will block it. In case the files are not classified, users are asked to confirm by double-clicking. In this case, you must pay extra attention and avoid automatically clicking the “Open” button on attachments from untrusted sources.
Advanced: Attack vectors to read emails and special objects
This category was further divided into: Email Reading Attack Vector and Outlook Special Object Attack Vector. The first, also known as a “Preview Pane” attack, poses a threat when users are reading emails in Outlook. Vulnerabilities can occur when handling different email formats such as html and tnef. For added security, CPR recommends configuring Outlook to read only plain text emails, although this may affect usability as links and images may not be visible. However, the Outlook special object attack vector involves exploiting a zero-day vulnerability, as in CVE-2023-23397. Cybercriminals can compromise Outlook by sending a malicious “reminder” object that triggers the vulnerability when a user opens Outlook and connects to the email server. In particular, the victim does not need to read the email for the attack to be triggered. This highlights the importance of timely security updates and prudent usage practices.
Protecting Outlook users in light of the above requires a multifaceted approach, reiterates Cpr. People should avoid clicking on unknown links, be wary of opening attachments from untrusted sources, and always update the Microsoft suite to the latest versions and updates. In this regard, Check Point solutions, including Check Point Email Security & Collaboration Security can protect against these vectors. Designed specifically for cloud-based email environments, Harmony Email & Collaboration offers complete protection for Microsoft 365, Google Workspace, and all collaboration and file-sharing applications, and is the only solution that can prevent threats from reaching your inbox and not just responding to or detecting them.
