Check Point Research (CPR) conducted a comprehensive analysis on ‘Outlook’, the desktop app in the Microsoft office suite, providing deeper insights into attack vectors, aiding both users and the security industry in understanding and mitigating potential risks.

CPR will examine the attack vectors in three categories: the “obvious” Hyperlink attack vector, the “normal” attachment attack vector, and the “advanced” attack vector regarding Outlook email reading and special objects.

• This research is instrumental as it contributes to a broader industry understanding of the potential risks associated with Outlook and helps to enhance our security products. By comprehending the intricacies of these attacks, we can pioneer cutting-edge prevention technologies tailored for our customers.

Background

In the digital age, where communication is largely facilitated through email, the security of email platforms is of paramount importance. Check Point Research recently conducted a comprehensive analysis of Outlook, the widely used email client in Microsoft Office, shedding light on three major attack vectors: the Obvious, the Normal, and the Advanced. In this paper, we will discuss the various attack vectors on Outlook, for typical enterprise environments. We act like the average user – we click and double-click on things in Outlook – as our daily work requires, and we examine the security risks they may introduce from a security research perspective.

Please note that the discussed research in this paper was performed on the latest Outlook 2021 (desktop version on Windows), with the latest security updates installed as of November 2023, in typical/default Outlook + Exchange Server environments.

The Obvious: Hyperlink Attack Vector

In this attack vector, attackers send emails containing malicious web hyperlinks. A simple click on these links can lead users to phishing sites, initiate browser exploits, or even trigger highly technical zero-day exploits. Despite the apparent simplicity, the security risks lie more in the browsers than in Outlook itself. Outlook prioritizes usability, recognizing that confirming every hyperlink click would be impractical. Users are advised to rely on robust browsers and exercise caution against phishing attacks

The Normal: Attachment Attack Vector

Attackers leverage the normal behavior of users opening email attachments. When a user double-clicks on an attachment, Outlook attempts to call the default application for that file type on Windows. The security risk depends on the robustness of the registered application for the attachment file type. If the file type is marked as “unsafe,” Outlook blocks it. In the case of unclassified file types, users are prompted to perform two clicks for confirmation. It is crucial for users to exercise caution and avoid easily clicking the “Open” button for attachments from untrusted sources

The Advanced: Email Reading and Special Objects Attack Vectors

Email Reading Attack Vector

Also known as the “Preview Pane” attack, this vector poses a threat when users read emails in Outlook. Vulnerabilities may arise during the processing of different email formats, such as HTML and TNEF. The recommendation for enhanced security is to configure Outlook to read only plain text emails, even though it may impact usability since links and pictures may not be seen in such plain text emails.

Outlook Special Objects Attack Vector

This advanced attack vector involves exploiting zero-day vulnerabilities, as seen in the case of CVE-2023-23397. Attackers can compromise Outlook by sending a malicious “reminder” object, triggering the vulnerability when the user opens Outlook and connects to the email server. Notably, the victim may not even need to read the email for the attack to be triggered. This emphasizes the importance of timely security updates and cautious usage practices.

Conclusion and Protection Measures

In conclusion, protecting Outlook users requires a multifaceted approach. Users should avoid clicking on unknown links, exercise caution when opening attachments from untrusted sources, and always keep Microsoft’s office suite up to date to its latest versions and updates.

Check Point Research’s comprehensive analysis provides deeper insights into these attack vectors, aiding both users and the security industry in understanding and mitigating potential risks.

All discussed attack vectors in this paper are monitored and protected by Check Point solutions including Check Point Email Security & Collaboration Security. Harmony Email & Collaboration provides complete protection for Microsoft 365, Google Workspace and all your collaboration and file-sharing apps. Harmony Email & Collaboration is designed specifically for cloud email environments and is the ONLY solution that prevents, not just detects or responds to, threats from entering the inbox.

Harmony Endpoint provides comprehensive endpoint protection at the highest security level while XDR/XPR quickly identifies the most sophisticated attacks by correlating events across your entire security estate and combining with behavioral analytics, real time proprietary threat intelligence from Check Point Research and ThreatCloud AI, and third-party intelligence.

Threat Emulation as well as Check Point gateways provide superior security beyond any Next Generation Firewall (NGFW). Best designed for Zero Day protection, these gateways are the best at preventing the fifth generation of cyber attacks with more than 60 innovative security services.

Check Point Research proactively hunts Outlook and email related attacks in the wild. As a leading security company, Check Point continues to develop innovative detection and protection technologies for customers around the world.