ATP not scanning Subject Line for Hyperlinks
Hi I recently reported an issue with the Office 365 ATP not scanning subject lines (or re-writing the URL). I reported this to MSRC, and they acknowledged the report, however they responded that this was "By Design". This to me is a gaping security hole for a product that you assume protects the subject along with the body of the organisation's email. Basically, I potentially could place a link to a malicious file/exploit framework in the subject of an email (even using link shortening, such as bit.ly) and this link / URL will be completely ignored by the paid for Advanced Threat Protection. I have been successful in proving this both in Outlook 2013 and 2016 on Windows. It has also been tested on Outlook for Mac, where this appears to not be a problem as the link is not clickable I am seeing the same results in OWA. This leads me to believe the issues is 2 fold, initially ATP is not scanning the Subject line, which wouldn't be a problem if the Outlook Client didn't make the potentially malicious URL clickable. So to highlight and demonstrate, i did the following: Went to http://bitly.com and shortened the URL http://www.practical365.com to give me: https://bit.ly/2KFzhZP I logged into my personal Gmail account and created an email to send to my Work e-mail account (Office 365 E3 with EMS E5 and Office 365 ATP), here is what was delivered: If i hover the cursor over the URL, it is NOT re-written and this is the case if i do not use a URL shortening tool also. Upon double clicking the URL, my web browser helpfully sprung to life and promptly displayed the http://www.practical365.com site. Please let me know if you have this issue or have come across similar. Thanks Paul
