
Summary
This detection rule targets a specific phishing technique that exploits Microsoft Outlook for Windows by manipulating HTML to mislead users. The tactic involves embedding a <base> HTML tag configured with a deceptive domain alongside a left-to-right mark (LRM, Unicode U+200E). When users click links formatted in this manner, they may see a visually benign domain in the link previews or descriptions, but upon clicking, they are redirected to malicious or unintended web domains. This vulnerability primarily seeks to deceive users into believing they are interacting with a legitimate site, thus falling victim to credential-phishing attacks. The detection logic employs regex to match patterns in email content that indicate such exploitation attempts, specifically targeting the presence of the LRM character within the <base> tag along with close contextual elements in the HTML body.
Categories
- Endpoint
- Web
- Application
Data Sources
- User Account
- Application Log
- Network Traffic
Created: 2023-06-06