Hello, welcome to the Friday, November 1st, 2019 edition of the Sansonet Storms on us Stormcast.

My name is Johannes Ulrich.

And then I'm recording from Jacksonville, Florida.

Today we got a diary by Jan showing an interesting and somewhat dangerous behavior of Outlook 365 and EML file attachments.

EML files are essentially emails and you probably have seen them if you save an email message.

It often is saved as an email file.

And if they're used as attachment, your mail client may kind of interpret them as an email.

Now, many mail filters are looking at these email files just because they can easily be mistaken

for an actual email message, but apparently Outlook 365 doesn't do so.

Well, Jan looked into what he can do with this behavior as part of a pen test and what he found

a lot of tricks that don't work anymore in a normal email, like for example having one

URL visible to the user and another URL that's actually then

being clicked on, well, that works still as an email attachment and actually you can fake

the from address and Outlook 365 in his case.

He used PayPal, did actually put the PayPal logo right next to the

from address, kind of confirming to the user that this appears to be a valid PayPal email,

which it wasn't.

Jan did notify Microsoft about this behavior, but Microsoft replied that they're not really considering

this security issue since it does rely on social engineering.

And as part of October's patch Tuesday, Microsoft fixed TLS spoofing vulnerability, CVEE 2019, 1318, but apparently

introduced an issue with this patch that causes TLS connections to timeout.

To address this problem, Microsoft published now a knowledge-based article with

...