Recent Change Opens Door to Malicious Links Viewed in Email Preview

I receive many messages from readers about different aspects of Microsoft 365. To be honest, I usually don’t have much time to devote to these queries unless it’s an interesting topic. Hearing about a Microsoft 365 component that allows administrators to click links that are known to lead to bad destinations certainly fell into that category, especially when the communication comes from an experienced Security Operations (SecOps) practitioner.

Threat Explorer and Message Views

The Threat Explorer is part of Microsoft Defender for Office 365. It’s a tool to help the SecOps team understand the level of threat flowing into a tenant through email. The Explorer has multiple views to allow administrators select different sets of messages such as malicious messages blocked for different reasons. An All Email view is also available to show both bad and good messages delivered to a tenant. Even though it shows “all email,” this view could do with some filtering because it includes messages like public folder hierarchy synchronization traffic.

Figure 1 shows the Threat Explorer listing messages blocked for phishing. The details of the selected message are shown in the right-hand panel. The message purports to come from Charles Schwab. Two of the URLs in the message are for the real Charles Schwab site. The other is planted to bring unsuspecting users to the attacker’s site.

Using Email Entity and Email Preview for Investigations

The Threat Explorer also includes several tools to help SecOps investigate threat. To see more detail about the bad message, an investigator can open the email entity to view more details about the message and any attachments. One of the options that then becomes available in the Take Action menu is to view an email preview. Seeing how a malicious message presents itself to a recipient is invaluable information because it reveals how the attacker sets their trap for the unwary.

In this instance, the malicious message looks as if it could have come from the purported sender (Figure 2). The real links to pages on the Charles Schwab site are mixed in with the links to the attacker’s site (accessed from the Review Now button and Log In link).

Here’s where the strange aspect arises. The links to the attacker’s site are live and can be clicked on to bring the investigator to that site. On the one hand, this seems reasonable because an investigator is doing their job to follow the trail as far as possible. Skilled investigator will protect their workstation against malicious attack and will take great care when accessing bad links.

The problem is not with security investigators. It arises when people who are possibly less skilled in terms of security tools and forensics or less aware of how malware can infect a workstation clicks a live and potentially dangerous link. Clicking a link opens a connection between the workstation and the target site. Because the email preview page uses a https://security.microsoft.com/emailpreview URL, VPN backhauling is often ignored, and the traffic goes direct to the attacker site.

Recent Change Enabled Bad Links in Email Preview

The odd thing is that Microsoft appears to have enabled the ability to use these links only recently. In the past, Defender used two versions of the email preview page: one was static without links; the other showed link details if you hovered over a link but the link was not clickable. Microsoft’s documentation makes no mention of the danger of clicking active links to attacker sites and there’s no trace that I can find of an announcement explaining why Defender now enables malicious links. Given Microsoft’s current focus on tightening security in every product, it just doesn’t make sense to make it easier for people to connect to sites that Defender has (usually correctly) identified as problematic and a potential source of infection.

My correspondent told me that he reported the issue to Microsoft. The support response was that the links are protected by the Safe Links feature and no problems arise if you use a private browsing session or replace Edge with Firefox. It’s a curiously passive position that basically says that it’s OK to keep dangerous stuff around if you take steps to protect yourself’ Safe Links allowed me to click the bad link today. Enough said.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.