The Phish Files

Zero-Click Attack: The Terminal Blow to Post-Delivery Email Security

Written by Jeremy Fuchs | Mar 24, 2023 7:36:59 PM

The Check Point and Avanan ethos has always been Prevention First. We explained to customers the importance of blocking attacks before an end-user has a chance to get compromised, and we demonstrated technologies that can only be implemented within a pre-delivery architecture, but last week a new attack on Microsoft 365 really brought this message home.

Microsoft confirmed a zero-click attack in Outlook would compromise the end-user without them doing anything. They don’t need to click a link or respond or even open the email. All they need to do is receive it for the malicious code to compromise the endpoint. (CVE-2023-23397)

Why is this so bad for post-delivery API solutions? Because they cannot do anything about it!

The promise of API-based, post-delivery remediation vendors is this: we can remediate a malicious email before your end-user interacts with it. It doesn’t matter, they’ll say, that the message is delivered. We’re so fast at remediation that the user won’t even know the email was there. Milliseconds, they say.

This has its potential and its uses, but there’s one fatal flaw: Emails that don’t require any interaction by the end user.

This new Microsoft bug, which Avanan customers are protected from, works like this: 

1. Hackers send malicious messages to end-users, typically in the form of a task or calendar invite.

2. These files can have multiple attributes like meeting location, duration, description, reminders and more. It also have the option to use a custom audio file, which looks like this:

 BEGIN:VALARM
ACTION:AUDIO
ATTACH;FMTTYPE=audio/basic:ftp://host.com/pub/sounds/bell-01.aud
END:VALARM

3. This file can be tweaked to become malicious, and that is what the hackers do. The downloading of this file can expose the user's NTLM hashes.

4. As soon as the message is processed by Outlook, the vulnerability is triggered and the NTLM hashes are returned to the sender.

And this is all done without any interaction by the end-user. This process happens as soon as Outlook processes the email. 

In other words, as soon as the email gets into Outlook, it's game over.

For post-delivery remediation services, it’s too late. Even if it takes milliseconds, that’s a millisecond too late, since this happens the very instant the email is received by Outlook.

It doesn’t matter if the message is remediated after it hits the inbox, since the damage has been done as soon as Outlook processes it.

Avanan stops malicious messages before Outlook processes it. So it doesn’t matter whether the user doesn’t have to interact with it or not. We block before that even comes into play. Everyone else relies on Outlook first processing. And again, by that point, it’s too late.

Post-delivery remediation has its place, and in fact, Avanan has this service. There are some key use cases, including links that are weaponized post-delivery, as well as offering an additional layer of protection. But relying on it is not the layered security approach that is required in today’s threat landscape. 

We’ve seen some examples of zero-click attacks come into the wild, and we expect them to rise in frequency. While more technically complicated to execute, once done correctly, they are very hard to stop. A phishing email that doesn’t rely on end-users interacting with it is the ideal next-generation attack.

And relying on post-delivery remediation is simply not enough.