Cybersecurity firm TrustedSec has introduced a new tool named Specula, which leverages a longstanding vulnerability in Microsoft Outlook to turn it into a Command and Control (C2) server. This discovery has raised significant concerns within the cybersecurity community, exposing a critical vulnerability in many corporate networks.
All about Spectra Tool
Specula uses a subtle Registry modification to alter Outlook’s behavior, enabling it to function as a beaconing C2 agent. Despite being a known technique, it often goes unaddressed by organizations. TrustedSec’s release of Specula seeks to highlight this vulnerability and encourage stronger preventive measures.
The exploitation of the Outlook home page feature was first reported under CVE-2017-11774.
Despite Microsoft issuing patches to remove the UI elements for setting a custom home page, the underlying Registry values are still operational.
This allows attackers to set a custom home page via Registry keys, enabling the execution of malicious scripts within Outlook. When set, Outlook downloads and displays an HTML page instead of the standard mailbox elements.
This HTML page can run VBScript or JScript in a privileged context, giving attackers significant control over the system. Specula automates this process, facilitating continuous command execution without manual intervention.
Preventing Home Page Attacks
To mitigate this threat, TrustedSec suggests the following measures:
- Upgrade to the New Outlook: The latest version doesn’t support COM extensions, eliminating this exploit vector.
- Disable VBScript: Future Windows 11 versions will allow the removal of the VBScript engine, reducing this risk.
- Use Group Policy Object (GPO): Configure GPO to disable WebView and block custom home pages.
- Utilize the Microsoft Security Compliance Toolkit: This toolkit can secure Outlook’s web engine, preventing script execution.
Identifying Home Page Attacks
Organizations should monitor Registry URL values related to Outlook’s WebView feature, such as:
HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Inbox
HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Calendar
HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Contacts
and similar keys for other Outlook versions. The release of Specula highlights the need for heightened cybersecurity vigilance.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment