Haifei Li, a principal vulnerability researcher at Check Point Software Technologies Ltd., examines the universe of Microsoft Outlook exploits in a new blog post this week that has lessons for users and security managers alike.

Li divides this collection into three parts: embedded malicious hyperlinks, malware-laced attachments and more specialized attack vectors. Li has investigated many of these cases personally. Li used the most recent versions of a Windows Outlook client and Exchange servers.

Outlook exploits — given its widespread use — continue to grab headlines, even some of the older ones that haven’t been diligently patched or where new variations come into play. This is the case for a recently uncovered case this past week in Bleeping Computer where Russian state-sponsored attackers leveraged a flaw patched in March.

The first category – malicious hyperlinks – forms the foundation of all phishing emails, not to mention other vectors such as SMS text messages. “For this attack vector, the attacker basically uses emails as a bridge to perform web-based attacks, whether they are social-engineering-based phishing attacks, browser exploits, or even highly technical browser zero-day exploits,” Li wrote. That means a user simply has to click on the link to launch a web browser, which is where the exploit actually begins.

The second category of attachments is also very familiar to users, and the success of the exploit depends on whether a user clicks once or more times on the attached file. Outlook does mark some files as unsafe or risky file types and Microsoft offers several suggestions on how to process them more securely.

Li describes several scenarios, depending on what file type is attached, its origins and various security features that Microsoft has to prevent malware infections. Li has a very thorough collection of use cases, differentiating among previewing the file and just clicking on it to run the associated application directly. This is the meat of Li’s post and can be useful for security managers to review and understand the various modalities.

The third category is where things get interesting. These types of attacks can happen when a user simply reads the file, without clicking on anything, sometimes referred to as a “preview pane” type of attack since a user is previewing the message passively. SiliconANGLE covered one such zero-click attack that was discovered last month when users received a seemingly innocuous email message asking recipients to update their Microsoft Outlook settings.

Li develops a scoring scheme for each of the variations of Outlook attacks. “When we assess the risk for an exploit delivered via the Outlook attack vectors, we need to assess the whole picture,” he wrote. “We need not just consider the Outlook attack scenario discussed in this paper, but also the exploit itself, including the difficulty of developing the exploit.”

That illustrates that securing Outlook isn’t such a simple task. Figuring out the relationships among the underlying operating system, whether it be Windows or something else, the default web browser, and how a user interacts with all of these components is difficult, and why attackers can succeed at delivering malware to a user’s device.

Image: Microsoft