Microsoft Outlook has recently emerged as a potential vector for remote code execution, thanks to a new post-exploitation framework named Specula, unveiled by cybersecurity firm TrustedSec. This innovative command-and-control (C2) framework exploits a vulnerability in Outlook, specifically CVE-2017-11774, which is a security feature bypass that was patched back in October 2017.
Exploiting the Vulnerability
According to Microsoft, the vulnerability can be exploited in a file-sharing attack scenario. An attacker could craft a malicious document file designed to take advantage of this flaw and persuade users to open and interact with it. Despite Microsoft’s efforts to mitigate the risk by removing the user interface for displaying Outlook home pages, attackers have found a way to create harmful home pages through Windows Registry values. This is particularly concerning for systems running the latest Office 365 builds.
TrustedSec elaborates that Specula operates entirely within Outlook’s context. By setting a custom Outlook home page through registry keys, it can connect to an interactive Python web server. Non-privileged threat actors can manipulate Outlook’s WebView registry entries located at
The attacker-controlled Outlook home page is engineered to serve custom VBScript files, enabling the execution of arbitrary commands on compromised Windows systems. TrustedSec noted, “We have been able to leverage this specific channel for initial access in hundreds of clients despite the existing knowledge and preventions available for this technique.”
When a custom home page is established via the outlined registry keys, Outlook will download and display the HTML page instead of the usual mailbox elements such as inbox or calendar. This allows the execution of VBScript or JScript within a privileged context, granting nearly full access to the local system as if using
Although a device must first be compromised to set the Outlook Registry entry, once established, this technique can be utilized for persistence and lateral movement across other systems. Given that
This vulnerability is not new; U.S. Cyber Command (US CyberCom) had previously warned about the risks associated with CVE-2017-11774, which was exploited to target U.S. government agencies. Security researchers from Chronicle, FireEye, and Palo Alto Networks later associated these attacks with the Iranian-sponsored APT33 cyber espionage group.
FireEye cybersecurity researchers noted, “FireEye first observed APT34 use CVE-2017-11774 in June 2018, followed by adoption by APT33 for a significantly broader campaign beginning in July 2018 and continuing for at least a year.”
