Microsoft patches Outlook URL formatting bypass

Microsoft has resealed the seams of its patch of a 2020 Outlook vulnerability after a bypass was found, according to the researcher who found both the original vulnerability and its bypass.

The original vulnerability, CVE-2020-0696, was discovered by Reegun Richard Jayapaul, then of Resecurity and now of Trustwave SpiderLabs. In it, if an attacker wrote a legitimate URL in an email and set the link to a second malformed, malicious URL, it would evade Microsoft's Safelink malicious link detection.

Those malformed links could be formatted by replacing "HTTP://" with a number of patterns, including "file://," or "//". Safelink would not flag the malformed link as a website needing vetting, but would nonetheless automatically fix the malformed URL so it linked out to its intended address.

Microsoft patched CVE-2020-0696 in 2020.

Due to "curiosity and free time during the pandemic" (per Jayapaul's colleague Karl Sigler, SpiderLabs senior research manager), Jayapaul recently revisited the vulnerability. He found a new pattern that evaded detection - replacing "HTTP://" with "HTTP:/://".

Sigler praised Microsoft's response to Trustwave's disclosure.

"Microsoft was responsive and followed up quickly on both the original issue and the secondary bypass," he said.

The bypass is another reminder of timeless email wisdom, said Sigler.

“Don’t click on links in emails unless you know exactly where it leads," he said.