How I used HOXINSERT in an attack vector against Outlook Web App (OWA) and Windows

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

Recently, I created my version of NSA’s AotS QUANTUMINSERT attack. The technique uses a combination of phishing, HTML smuggling, and status bar bugs in email clients to trick targeted users into interacting with malicious content. When a user hovers over a link in an email, the status bar displays a trusted URL.

However, upon clicking, a different URL hosted on a malicious server—HOXACID—is requested. HTML smuggling is used to deliver malicious payloads, while the bugs in email clients allow for status bar manipulation, which misleads users into trusting and clicking the malicious link. I called it HOXINSERT.

I tested it across various platforms, including the popular Outlook Web App. My goal was to build practical attack vectors, show how they work in a real-world context, and share my findings with the community, hoping to create a better understanding and stronger defenses against such threats.

To prepare for the attack, I needed a target and context about the target. I needed to create the phishing email, create the payload, and set up HOXINSERT.

I won’t go into detail about all the required steps as the main purpose of this article is to show you what HOXINSERT looks like and what can be achieved with it.

Please note that while the examples given are based on real-world scenarios, all activities were conducted in a controlled environment, and no actual harm was done. The target used was a demo account, and all actions were purely for illustrative purposes.

‍[.c-cta-box][.c-cta-content][.c-title-wrapper][.c-title]Wait![.c-title][.c-title-wrapper][.c-paragraph-wrapper][.c-paragraph]Did you miss how I created my version of NSA’s AotS QUANTUMINSERT attack?[.c-paragraph][.c-paragraph-wrapper][.c-button-wrapper][.c-button]Read the article before moving forward[.c-button][.c-button-wrapper][.c-cta-content][.c-cta-box]

Step 1: How I picked a target

First, I needed to select a target and find some information I could use against them in my attack. I prefer any piece of information that the target company’s employees would think isn’t available to people outside the targeted company. Not necessarily trade secrets but services the employees use daily, which might not be apparent to outsiders. Example services could be Teams, Slack, or rocket.chat and password managers like LastPass, 1Password, or Dashlane. Images from the company’s intranet or links pointing there. It’s also possible to find network-attached multifunction printers and their names and locations.

In this specific scenario, I chose a demo target just to illustrate how HOXINSERT works.

Step 2: How I found relevant context to use for HOXINSERT

In this video, I ultimately ended up choosing a different link to use in HOXINSERT that fit my context better, but below is an example of what kind of specific context would be perfect to use with HOXINSERT.

One of my favorite tactics is to try and find links pointing to the company’s SharePoint. These SharePoint URLs often contain some interesting information, such as people’s email addresses, SharePoint folder structure, and file names and types. There can also be hits for other companies with folders or files mentioning the company you're searching for. Sometimes, the content of the files is available to anyone with the link.

I’ll give you an example. It’s not that uncommon to find these URLs for many companies. There are multiple ways to find them. Advanced search engine queries are one, projects like Common Crawl index are another, and various URL scanning services are third. Let’s use a Google search query for this example.

Here, I used Microsoft as an example company with a simpler search query.

Example of a SharePoint URL with an email address, folder, and file name and type
Example of a SharePoint URL with an email address, folder, and file name and type

Here’s an example of a search query I would typically use: https://www.google.com/search?q=microsoft+site:*-my.sharepoint.*+%7C+site:sharepoint.*&filter=0.

The query tries to find Google-indexed URLs that mention “microsoft“ in any SharePoint instance on any top-level domain and subdomain.

Using the above, I can get a suitable person to target along with a file name and file type that's most likely already familiar to our target.

If it matches the rest of my pretext, I could use this exact URL in HOXINSERT. I could also use any other information from the URL as context in our phishing email. For example, mentioning a specific person—from the email address—and a project name—from the folder name in the URL—to add truth to the phishing email.

Step 3: How I created the phishing email

I wanted to gain remote access to the target’s computer, so I needed the target to open a file. I wanted to use something that the target is most likely familiar with, such as SharePoint. The SharePoint file share notification could be a perfect option. That’s why I used the below file share notification phishing template.

SharePoint file share notification
SharePoint file share notification

I needed to add the code enabling the status bar bug and add both the link shown on hover-over and the link to my HOXINSERT Shooter server.

Step 4: How I created the payload

There are multiple common initial access vectors that attackers use, such as exploiting vulnerabilities in PDF clients or Windows shortcut files—LNK files.

For this example, I’m going to use LNK files. They're extremely simple to work with and can do almost anything. For this demo, I created my own, which, instead of downloading and executing additional malware, will run calc.exe to show code execution and will also open a PowerPoint presentation as a ruse for my target.

LNK files can’t be downloaded directly via a web browser, so I'll have to zip it, and I’ll also need to base64 encode the zip file and embed it into HOXACID—HTML smuggling.

Step 5: How I set up HOXINSERT

As this is heavily a Microsoft-themed vector, I want to use Azure to host HOXACID. The simplest Azure blob storage is enough.

I also need to make sure to set the same URL both on my phishing email and in HOXACID to redirect the user to the same URL. In this demo, I’ll use https://www.microsoft365.com/launch/powerpoint?download=Customer-sales-slides-2023.pptx&auth=2 as the URL in the email and where the target will end up. I'd say it’s safe to assume they're logged into SharePoint so that they’ll end up on their own PowerPoint Online page.

How it looks like from the target’s point of view

The video shows what the final attack looks like for the target. For this demo, my target is Jason from Hoxdemo.

In the video, the Hoxdemo company CMO shares a PowerPoint document via SharePoint with Jason Lock. The email looks like a basic SharePoint file share notification.

As Jason, the target, knows not to trust all emails, Jason carefully hovers over the ‘Open’ button to check where the button takes them. The browser’s status bar appears at the bottom left corner, showing the full URL. It's exactly what would be expected and seems to lead to the microsoft365.com domain. Jason clicks the button, a new tab opens as usual, and the page loads.

The URL in the browser’s address bar looks exactly like what was displayed when Jason hovered over the ‘Open’ button in the email.

The site also instantly downloads the shared file in compressed format. Jason opens the file, double-clicks the file inside the zip archive, and clicks ‘Open’ in the prompt.

Jason’s expected PowerPoint presentation opens, but so does their calculator app? Opening the calculator is a common way to show that something bad could've happened. Instead of opening the calculator, your computer could have been instructed to download and execute additional malware.

If you pause the video right after clicking the ‘Open’ button in the email, you can briefly notice that instead of loading what was shown in the email client’s status bar, a different domain loads instead. That domain hosts an HTML smuggling file, which downloads a zipped LNK payload—that simulates malware—and then instantly redirects Jason to the domain displayed in the status bar. This happens so fast that it appears like the zipped file is loaded from the target’s SharePoint.

This is a demonstration of an attack vector that uses HOXINSERT.

Next, I'll show you a slightly different attack vector for iOS Gmail.

About the author

Pontus joined Hoxhunt in 2017 and currently works as an Offensive Security Engineer. He enjoys researching and developing attack techniques, exploits, and tools.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this