ATP not scanning Subject Line for Hyperlinks
Hi I recently reported an issue with the Office 365 ATP not scanning subject lines (or re-writing the URL). I reported this to MSRC, and they acknowledged the report, however they responded that this was "By Design". This to me is a gaping security hole for a product that you assume protects the subject along with the body of the organisation's email. Basically, I potentially could place a link to a malicious file/exploit framework in the subject of an email (even using link shortening, such as bit.ly) and this link / URL will be completely ignored by the paid for Advanced Threat Protection. I have been successful in proving this both in Outlook 2013 and 2016 on Windows. It has also been tested on Outlook for Mac, where this appears to not be a problem as the link is not clickable I am seeing the same results in OWA. This leads me to believe the issues is 2 fold, initially ATP is not scanning the Subject line, which wouldn't be a problem if the Outlook Client didn't make the potentially malicious URL clickable. So to highlight and demonstrate, i did the following: Went to http://bitly.com and shortened the URL http://www.practical365.com to give me: https://bit.ly/2KFzhZP I logged into my personal Gmail account and created an email to send to my Work e-mail account (Office 365 E3 with EMS E5 and Office 365 ATP), here is what was delivered: If i hover the cursor over the URL, it is NOT re-written and this is the case if i do not use a URL shortening tool also. Upon double clicking the URL, my web browser helpfully sprung to life and promptly displayed the www.practical365.com site. Please let me know if you have this issue or have come across similar. Thanks Paul
