Hello, welcome to the Friday, June 19th, 2020 edition of the Sand Center at Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Jan today discovered an interesting bug in Microsoft Outlook that could potentially make fishing a little bit easier.

The problem here is if you have an image tag within your email, so it's an HTML email,

there's an image tag that's empty, so it's just simple, less than IMG, greater than.

This image tag is inside an A tag with HRF pointing to an untrusted website.

So by itself, that wouldn't really be all that dangerous because this image doesn't really

exist and it's sort of impossible to click on that link. Now the tricky part here is if

this link is followed by another normal link,

then if you forward the email, Outlook will swap the link and will insert the untrusted link

where the trusted link used to be. So the risk here, which isn't huge, but it's there, is that if you forward an email, you

think the email is harmless, the link looked good, you forward the email, but then by forwarding

the email, it's actually being rewritten.

Now, it's not really clear why Outlook does that.

My guess is that I've seen some more issue. Now it's not really clear why Outlook does that.

My guess is that I've seen similar issues with HTML email where the mail reader, in this case Outlook, wanted to make sure that the email you're sending actually is properly

formed.

So this empty image tag is invalid and then Outlook essentially

fixed it for us. This actually sometimes is done to prevent cross-site scripting vulnerabilities

and such because it's really hard to validate the HTML that's not properly formed. So a lot of the libraries

that check for cross-site scripting will first check for invalid HTML, remove it, fix it,

and then validate the email. So it could be an artifact that's sort of caused by this logic.

...