Zerodium Spikes Payout for Zero-Click Outlook Zero-Days

Zerodium has jacked up its offering price for Microsoft Outlook zero-day exploits.

Act fast if you have the goods and the moral equanimity to make up to $400,000 for a zero-click, remote-code execution (RCE) exploit.

The price spike is only temporary, with the end date still to be determined, according to a Thursday post from Zerodium: runner of high-end, high-dollar, third-party bug-bounty programs.

“We are temporarily increasing our payout for Microsoft Outlook RCEs from $250,000 to $400,000. We are looking for zero-click exploits leading to remote code execution when receiving/downloading emails in Outlook, without requiring any user interaction such as reading the malicious email message or opening an attachment. Exploits relying on opening/reading an email may be acquired for a lower reward.” –Zerodium

As well, Zerodium has increased payout to $200,000 for zero-click, RCE exploits affecting the Mozilla Thunderbird browser.

Similar to the Outlook exploits it’s hunting for, Zerodium is looking for zero-click exploits that can achieve RCE in Thunderbird when targets are receiving or downloading emails, all without users having to lift a finger.

We're currently paying up to $200,000 per exploit for Mozilla Thunderbird RCEs.

We're also (temporarily) increasing our bounty for MS Outlook RCEs to $400,000 (from $250,000).

More details at: https://t.co/VL04uBvgUj

— Zerodium (@Zerodium) January 27, 2022

“Zero-click” means that targets neither have to read a malicious email message nor open a rigged attachment. Zerodium said that it might still want to purchase those “they need to click” exploits, too – that is, for a lower price.

The Trigger

Zerodium’s newly keen zeal for Outlook exploits came on the same day that Trustwave SpiderLabs published details about a new way to bypass an Outlook security feature to deliver malicious links to victims.

As SpiderLabs lead threat architect Reegun Richard Jayapaul explained yesterday, he discovered the issue after coming across several emails bypassing the email security system while he was investigating a malware campaign. He didn’t see any bypass techniques being used, though. “Instead, the flood of spear-phishing emails made the email security system allow some of the emails, at which point I began my research on Microsoft Outlook,” he wrote.

SpiderLabs found that the specially crafted malicious link parsing on the security system was weak. “This is not about detection bypass; it is more about the link parser of the email security systems that cannot identify the emails containing the link,” Jayapaul said.

It turns out that SpiderLabs found a variation of a vulnerability, tracked as CVE-2020-0696, that Microsoft initially dealt with in February 2020.

The security feature bypass vulnerability occurs in Microsoft Outlook when it improperly handles the parsing of URI formats. Successful exploitation requires an attacker to use the bypass in conjunction with another vulnerability, such as a RCE vulnerability, before they could run arbitrary code.

Because of improper hyperlink translation, the initial Outlook security feature bypass allowed an attacker using Outlook for Mac to completely bypass Outlook’s email security systems and send a clickable, malicious link – SpiderLabs used the example below – to a victim on Outlook for Windows.

http://trustwave[.]com with hyperlinked file:///malciouslink

The maliciously crafted link initially only seemed to work if the attacker uses Microsoft Outlook for Mac and their intended victim is on Microsoft Outlook for Windows.

Exploitable on Windows and Mac Outlook Clients

However, as SpiderLabs researchers later came to find out, the vulnerability can be exploited on both Windows and macOS Outlook client if a legitimate link is hyperlinked with “http:/://maliciouslink.”Jayapaul explained that the email system strips out the “:/” characters and deliver the link as “http://maliciouslink,” bypassing Microsoft ATP Safelink and other email security products.

“As per the CVE-2020-0696 patch, links with URI schemes will alert as a warning popup; also ‘:/’ characters are stripped when delivered to users,” the researcher explained – an SpiderLabs had originally found that when sending the http://trustwave[.]com with hyperlinked file:///malciouslink vector with hyperlink file:///trustwave.com, the email is delivered on the victim’s’ Microsoft Outlook for Windows’ as file:///trustwave.com,” SpiderLabs explained. “The link file:///trustwave.com then translates to http://trustwave.com after clicking.

“During this transmission from sender to receiver, the link file:///trustwave.com is not recognized by any email security systems and is delivered to the victim as a clickable link.”

The initial test was done on Microsoft M365 security feature “Safelink protection” and later tested and confirmed on multiple email security systems, SpiderLabs confirmed.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.