Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Outlook Client Vulnerability and Spring Cleaning SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Outlook Client Vulnerability and Spring Cleaning

Outlook 'From' Header Spoofing



The researchers at iDEFENSE have discovered an interesting little bug in the
Microsoft Outlook and Outlook WebAccess email client applications. If an
email is constructed so that the "From:" header contains multiple senders,
the Outlook clients will only display the first sender. Unfortunately, this
provides yet another way that Phishers can spoof the apparent sender of fraudulent
scam emails and make them seem more legitimate. [Of course, legitimate
organizations don't send emails that encourage you to click links to enter
personal data or to apply software updates to your system in the first place!]



To read more about the details, visit the




I've cobbled up a snort signature that might work for this too:


alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (sid:2005040901; rev:1; \
msg:"[ISC] Possible MS Outlook email From forgery attempt"; \
content: "From|3a| "; nocase; \
pcre: "/[_\.\w\d]+@[_\.\w\d]+.*,.*[_\.\w\d]+@[_\.\w\d]+/imGR"; \
flow: to_server, established; )


Spring Cleaning



It was a pretty slow day here at the ISC, which means that most of our readers
were out enjoying the spring weather; at least those in the northern hemisphere
where it's actually springtime. In the traditional spirit of spring cleaning,
now is a great time to do some of those little tasks that many people tend to
put off until too late. Check your backups! Go on, try to restore some files.
Testing things before you need them is a great idea. If you don't have
backups, now is a great time to make some. Modern hard drives have large
capacities and are relatively inexpensive. A nice spring treat might be to get
yourself a new one, copy all your data to it, and put your old one in a nice
safe spot in the closet. You might also want to crawl under your desk and tap
the test button on your UPS, just to see if it still works. Also, blowing all
the dustbunnies out of your equipment is a wise move.
Erik

21 Posts
Apr 9th 2005

Sign Up for Free or Log In to start participating in the conversation!