How did hacker cause link to delete and archive containing email?

PeterH

New Member
Outlook version
Outlook 2016 32 bit
Email Account
Office 365 Exchange
I am an experienced software developer cognizant of phishing schemes. I didn't think I could fall for one, but I lost my focus for a minute and clicked on a hyperlink in email from a (very clever) hacker. That took me to a website with MS login credentials at which point I immediately closed the browser realizing it was a hack.

Somehow this must have run something because the e-mail then appeared as deleted and archived (i.e., under deleted items where you click "recover items recently removed from this folder").

I want to understand: from clicking on this hyperlink and website referral how did the hacker delete and archive the e-mail in my desktop Outlook?

I program in JavaScript and understand what web scripts can and cannot do, but I do not know what hyperlinks in e-mails can do. Any ideas on how this was done so I can prevent it and gauge if anything else was done.

When I tried to forward the e-mail as an attachment to report it as abuse, my outgoing advanced e-mail security (Proofpoint) would not allow it to be delivered, so clearly it sees the e-mail itself contains an exploit, but where?

(Obviously I changed my password, verified no external logins and had already implemented MFA and scanned for viruses')

Thx
 

Diane Poremsky

Senior Member
Outlook version
Outlook 2016 32 bit
Email Account
Office 365 Exchange
It's not unusually for hackers to delete mail in the inbox after they gain access - the link would have went to a fake site, where they trick you into entering your credentials then they run the script on the mailbox.

If you didn't log in, the script should not have deleted the mail.

BTW, if you haven't changed your password, do it now - and enable 2 factor authentication.
 

PeterH

New Member
Outlook version
Outlook 2016 32 bit
Email Account
Office 365 Exchange
Thanks but that is why I wrote the post. Upon clicking on the link and getting a fake login box, I immediately closed the browser. I then closed the e-mail and after that found it deleted. So, how could that have happened? How could clicking on the link have run a script that affected desktop Outlook.

As mentioned at the end of my original post, I changed my password and already had MFA... I need to understand how a hyperlink in Outlook or a script run in a browser can cause an e-mail to be deleted (and archived) in desktop Outlook. That is the question.
 

Diane Poremsky

Senior Member
Outlook version
Outlook 2016 32 bit
Email Account
Office 365 Exchange
It was only the spam message that was deleted, not all of your mail? Are you sure you didn't hit delete? You would have needed to Shift+Delete to get it into the recovery folder though, unless the message was in the junk email folder.

You'd really need to open it (preferably on a VM) and watch / monitor it to see what it does - any scripts would be in the inet cache.
 

PeterH

New Member
Outlook version
Outlook 2016 32 bit
Email Account
Office 365 Exchange
Thx, that's what I would have thought too, which is why I was reaching out to an expert.

Yes, only that one e-mail deleted. Message was not in junk-mail -- came from trusted contact who had been compromised. Yes, I'm 100% sure I didn't delete it and I didn't even know about Shift-Delete, so positive. I have my browser (Firefox) set to delete cache on close, so no help there. My particular model of Dell-SSD dies on use of VM and I don't really have an extra machine where I'm willing to risk trying this again in some sort of sandbox, but I suppose that's the only way. I looked at "view source" in the e-mail and see nothing but ordinary HTML. I checked to make sure I don't have any add-ins that I didn't expect -- all vanilla (Acrobat, Norton, Microsoft VBA, Microsoft Teams, OneNote). I also verified my rules to make sure it didn't add any. I do not know of any kind of JavaScript invoked only from navigating to website that could affect desktop Outlook and can't seem to find any info on Google. I do not have an browser extensions except Norton, Cisco (required by Firefox) and a cookie manager. But clearly something ran only on click of hyperlink or navigation to website, which was hosted on github.io. (I informed their abuse contact.)

Interestingly, my overnight Office 365 spam digest contained the very e-mail in quarantine that had been delivered normally this afternoon. I have never seen that occur either. It's either in quarantine or delivered-- and time sent matches exactly.

I now vaguely recall reading some warning about the OneNote add-in being hijacked, it was a long time ago (hopefully patched by now). I googled this and don't see any reported OneNote vulnerabilities after 2014. I'm current on all security releases. Running Outlook 2102. Big mystery. Really bugs me not knowing how this was done, even in theory, and what else it could have done. Please let me know if anything comes to mind. Thx
 

Diane Poremsky

Senior Member
Outlook version
Outlook 2016 32 bit
Email Account
Office 365 Exchange
>>
I do not know of any kind of JavaScript invoked only from navigating to website that could affect desktop Outlook and can't seem to find any info on Google.
>>

There are some exploits - actually many exploits - that only work if the user opens a specially crafted file - but none I'm aware of do anything like this with just visiting a webpage (although the page could run javascript) - they usually infect the machine, not outlook.

For example -

>>
Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.
>>

All published vulnerabilities are here:
 

PeterH

New Member
Outlook version
Outlook 2016 32 bit
Email Account
Office 365 Exchange
Interesting, thx. Since my version and updates are all current, the vulnerability in the first link would be patched. On the second link there are so many; hard to know where to look. I searched for Outlook, but none came up that way. This morning I had a new idea. I could use my .Net web scrape software (HTML Agility Pack) to download the "inner html" (including JS) from the linked URL without fear of executing it, so I could examine any scripts. Unfortunately (or fortunately) I had filed an abuse claim yesterday against the hacker who was using "github.io" to base his/her attack. By this morning, the site has been taken down.

But of this I can be sure: after I clicked on the link and saw a fake Microsoft login box come up in my Firefox browser, I closed the browser at the outer close button (not anywhere in the tab), so it's not as if I clicked on a fake close button. I don't see how I could have given it permission to download anything. Firefox would have sent any downloads to the download folder, but nothing there. I know in my ASP web software, I can invoke a download with a command: "response.write", but as you point out exactly, it requires the user to give permission to launch it. I don't see how I could have launched any form of file, which has me spooked. Without being able to examine that site, I think at this point my trail has run dry, but thank you for your insights.

I have observed that "advanced email security" (Proofpoint in my case) did and would have caught this e-mail from getting through (and would have prevented the sender from sending it). I have implemented this or similar service for my clients, but didn't put it in for myself arrogantly thinking I would never been fooled into clicking on a rogue link given my 41 years in IT. I'm implementing it now as clearly it is possible for anyone to lose focus and it is also possible for scripts to contain vulnerabilities I don't fully understand.
 
Similar threads
Thread starter Title Forum Replies Date
M Recent Update Did not Fix Search Problems Using Outlook 7
Horsepower Where did Evenote come from? Using Outlook 6
N linking an already sent/rec'd email to contact record like it did in 2000 Using Outlook 0
L Outlook clients did not reconnect to Exchange when one CAS server in CAS array became unresponsive Exchange Server Administration 1
T Where did my categorized emails go? Using Outlook 1
T Outlook 2013: How did "Inbox" emails jump straight to the "Recover Deleted Items" Folder? Using Outlook 2
P Your message did not reach some or all of the intended recipients. Using Outlook 2
C Your message did not reach some or all of the intended recipients. Using Outlook 2
H Hotmail set not to delete from other accounts, but did. Settings in Outlook? Using Outlook.com accounts in Outlook 0
D business contact manager did not install with outlook 7 BCM (Business Contact Manager) 2
A COM add-in causes Outlook 2007 to periodically crash where it did not in Outlook 2003 Outlook VBA and Custom Forms 3
M BCM did not install BCM (Business Contact Manager) 1
ManaarZakaria I'm afraid of this issue, cause of strange error Exchange Server Administration 2
R Would creating a new profile cause Outlook to download all the old mails from the server? Using Outlook 1
Britonius Locate Cause of Deleted Meeting Using Outlook 0

Similar threads

Top