May 5, 2019
How to create real phishing emails with the help of Office 365
Everything started when a few days ago I was looking to attend an upcoming online webinar. In order to not forget it, the online webinar system gave me several options to save the scheduled webinar as an invitation via Google Calendar or via Outlook (.ICS file). As I was sitting on my personal computer at home I used Google Calendar to save it, but also saved the .ICS file in order to send it to my Office 365 email account. I did that by simply attaching the .ICS file and sent it using my Gmail account, so I can later add it to my calendar.
The day after, I’ve opened my Office 365 account inbox. I noticed something odd, the email from my personal Gmail account wasn’t there. It was a meeting invitation originating from the creator of the .ICS file. I was confused, I sent an email message, from my Gmail with only the .ICS file attached. It appears that Office 365 automatically took the .ICS file attached and converted the email message to a meeting invitation.
Being suspicious but as always willing to investigate, I thought what more can I do. I was familiar with the structure of an .ICS file, so I wondered if I could play a bit more with it. I’ve altered the .ICS file, and made the invitation as it was sourced from Facebook email domain @fb.com directly from Mark Zuckerberg:
Sent it again from my Gmail account. Bear in mind that the subject of the email is presented as the invitation title.
I believe that the picture below speaks for itself.
As the phishing email was sent from external source domain, I wondered if I would be able to source it from an email account under the same domain. Again, I altered the organizer field, and unfortunately the email passed through, not only it was listed as internal email, Outlook took the extra mile and automatically converted the email address to an Identity.
Still the question remains, does Microsoft automatically coverts .ICS files from all free email providers?
The answer to that question is no, I wasn’t able to reproduce this by sending the .ICS file from my Yahoo account, or any other free email provider — It worked only from Gmail account. I assume that the issue lies in the way Microsoft relays their email messages from Gmail accounts.
At this point my concerns were higher then before, what if someone had already used this? In corporate environments we can’t simply block all .ICS files, this will lead to chaos. We will need to figure out a way around this, share your thoughts in the comments.
Summary
It appears that Microsoft converting the .ICS file only when they are sourcing from Gmail account. It doesn’t even matter if you open the it on the web UI (outlook.office365.com) or on your local Outlook application, they both look the same. With the help of Social Engineering, hackers can easily craft a phishing or even spear phishing attacks which appears to be 100% real. Sadly, Microsoft did not considered this attack as a weakness in their product.
Timeline
- Issue found and reported to Microsoft on April 28th, 2019
- Microsoft replied back on May 1st, 2019 and it was determined that the submission does not meet the bar for security servicing. No weakness was identified.
Update Dec. 2020:
Now such emails will have “someone@gmail.com on behalf of billgates@microsoft.com” for example. (Thanks to Stolle)
