Prices for Microsoft Outlook zero-day RCE exploits have risen from $250,000 to $400,000. The price surge is temporary, according to a Thursday post from Zerodium, a provider of high-end, high-dollar bug-bounty programs.
This development comes after a report of an investigation of a malware campaign published by SpiderLabs that revealed multiple emails circumventing the email security system. The published details disclosed data regarding a new approach to bypass an Outlook security feature to distribute malicious links to victims.
Further research of Microsoft Outlook pointed out an influx of spear-phishing emails, which caused the email security system to allow some of the communications.
Later, during the investigation, SpiderLabs discovered a flaw in the system’s parsing of malicious URLs. As per the details that have been disclosed, this isn’t about detection bypass, but about email security systems’ link parsers not identifying emails containing links.
During the research, SpiderLabs discovered a variant of a CVE-2020-0696 issue that Microsoft fixed in February 2020. As per what has been explained, Microsoft Outlook’s security-feature bypass flaw occurs when it parses URI forms incorrectly. Before running arbitrary code, an attacker must utilize the bypass in conjunction with another vulnerability, such as an RCE vulnerability.
The initial Outlook security feature bypass permits an attacker using Outlook for Mac to deliver a clickable, malicious link to Outlook for Windows. However, further research indicated that the vulnerability appeared to work both with Microsoft Outlook for Mac and Microsoft Outlook for Windows if a genuine URL is hyperlinked with “http:/://maliciouslink”. As a result, Microsoft ATP Safelink and other email-security technologies can be bypassed. Microsoft O365 security feature “Safelink protection” was evaluated first, then confirmed on numerous email-security systems, SpiderLabs said.
Zero-click attacks like this one allow remote code execution when receiving or downloading emails in Outlook, without the user having to do anything like read the malicious email or open an attachment. Exploits that require opening or reading an email may be less rewarding, according to Zerodium.
Aside from the Outlook flaws, Zerodium seeks also zero-click exploits that can do RCE in Thunderbird while recipients or downloaders are receiving or downloading emails. In relation to this, the company has upped the reward for zero-click RCE attacks impacting Mozilla Thunderbird to $200,000.