New Specula Tool Turns Outlook into a C2 Server via Registry Exploit

Cybersecurity firm TrustedSec has introduced a new tool named Specula, which leverages a longstanding vulnerability in Microsoft Outlook to turn it into a Command and Control (C2) server. This discovery has raised significant concerns within the cybersecurity community, exposing a critical vulnerability in many corporate networks.

All about Spectra Tool

Specula uses a subtle Registry modification to alter Outlook’s behavior, enabling it to function as a beaconing C2 agent. Despite being a known technique, it often goes unaddressed by organizations. TrustedSec’s release of Specula seeks to highlight this vulnerability and encourage stronger preventive measures.

The exploitation of the Outlook home page feature was first reported under CVE-2017-11774.

Despite Microsoft issuing patches to remove the UI elements for setting a custom home page, the underlying Registry values are still operational.

This allows attackers to set a custom home page via Registry keys, enabling the execution of malicious scripts within Outlook. When set, Outlook downloads and displays an HTML page instead of the standard mailbox elements.

This HTML page can run VBScript or JScript in a privileged context, giving attackers significant control over the system. Specula automates this process, facilitating continuous command execution without manual intervention.

Preventing Home Page Attacks

To mitigate this threat, TrustedSec suggests the following measures:

Upgrade to the New Outlook: The latest version doesn’t support COM extensions, eliminating this exploit vector.
Disable VBScript: Future Windows 11 versions will allow the removal of the VBScript engine, reducing this risk.
Use Group Policy Object (GPO): Configure GPO to disable WebView and block custom home pages.
Utilize the Microsoft Security Compliance Toolkit: This toolkit can secure Outlook’s web engine, preventing script execution.