Microsoft leaves security hole in Office 365

Scammers can add Calendar invitations to your Outlook file without permission – what’s the risk and how to fix it

Scammers can inject Calendar invitations without permission – getting rid of them is a 2 step process

Scammers can spam email invitations to an appointment which automatically get placed in your Outlook Calendar as tentative or not accepted.

Microsoft has left a hole big enough to drive a truck with a virus or Trojan horse in Outlook Office 365.

Invitations could potentially contain harmful viruses. Microsoft not only does not protect you from them. They don’t seem to care. I found references in the Microsoft knowledge base back to Office 2007.

Since May 1st, I received 16 of these scam invitations, more than I got from January to April in 2013. I would assume the exploit is ramping up for a major attack on Office users.

Why Microsoft has left users unprotected from the exploit on their premium Office 365 product is a mystery?

The Calendar exploit starts with an email invitation on Office 365 with the Office 2010 Professional client.

Spam email invitation – deletion leaves the calendar object in place

Spam Calendar invitation waiting to infect your computer before deletion

If you delete the spam invitation from your email, it stays in the Calendar.

It will then pop up in Outlook Calendar asking you to accept the invitation. Don’t accept obviously.

The second step to delete them manually. Search through your Calendar for tentative invitations and delete them.

If you use multiple calendars, it can be an annoying amount of manual work.

Even if people know about the potential risk, how many people are going to check the Calendar regularly for spam?

The third risk is that the invitation seems to create a tentative contact sometimes, leaving the Outlook file open to later attacks.

Microsoft knows about the exploit but has not announced a fix.  Over on the Microsoft Support site, the comments ranged from the ludicrous suggestion of scrubbing Outlook Exchange Server through a Gmail account to turning off automatic acceptance. The exploit works even with the automatic box ticked no.

Outlook 365 Options – turn off automatic acceptance of meeting invitations

An obvious fix would be to make the Options feature work or to have another exclusion of refusing all appointments from people not in your Contacts folder.

While I have not received any invitations with attachments, it’s an easy jump for scammers to add an attachment with an embedded virus which apparently goes undetected by Microsoft.

One user expressed his frustration with the lax controls in Office 365.

“Dang. The answer was helpful, but not what I wanted to hear! All a virus writer has to do is zip the virus EXE and it will fly right by FOPE (Microsoft Forefront Online Protection for Exchange). And here I thought Office 365 email was supposed to be secure!”

“The zip was not even password-protected. Not scanning a password-protected zip file’s contents makes sense, but it does not make sense not to scan at least one level deep in unprotected zip files looking for infected EXE files.”

If any one has found a reasonable fix, please post a comment.

Be the first to comment

Leave a Reply

Your email address will not be published.


Confirm you are not a spammer! *