Bypassing Safe Links in Exchange Online Advanced Threat Protection

In this article I will go through my findings and analysis on the Safe Links feature of Microsoft’s Office 365 Exchange Online Advanced Threat Protection.

Essentially what Safe Links does is it rewrites all URLs in in-bound e-mails that pass through the Exchange Online Protection platform. So if you send an e-mail to an organization with Safe Links enabled then the e-mail will look like this (original):

The URL gets rewritten to look like this (passed through Safe Links):

Bypass Method 1

It is not uncommon for organizations to add their own domains to the Safe Links whitelist policy. This is done for one of many reasons… either you trust your own domains or you don’t want to inconvenience staff when sending documents internally imagine sending a .pdf on your corporate site to 1,000’s of staff – a significant portion would click the link and be presented with this page:

This bypass exploits the whitelisted domains in the Safe Links policy by using URL obfuscation techniques.

Imagine you have Example Ltd which owns the domain The administrators of have added the domain to the whitelist in their Safe Links policy such that e-mails containing the URL don’t get re-written by EOP.

Using a URL obfuscation technique like the below can trick EOP into thinking that the domain is whitelisted when in fact it isn’t:

As you can see, simply obfuscating the URL by posting bogus credentials tricks Safe Links in to thinking that the domain is instead of

Another obfuscation technique is:

Here the advanced threat protection isn’t checking the entire domain – instead it is tricked by a basic obfuscation technique of inserting the white-listed domain as a subdomain of the malicious domain.

Bypass Method 2

With this technique, an attacker could simply block or re-direct requests from the Exchange Online Protection infrastructure – yup, it’s as simple as that. It’s less of a vulnerability and more of a non-ideal configuration.

Helpfully, Microsoft makes the EOP IP ranges available online so all you need to do is block those ranges on your webserver with some .htaccess rules.

Even if the IP ranges weren’t available online, the EOP requests contain absolutely no headers which makes it very easy to distinguish EOP traffic and genuine traffic.

This is what genuine traffic looks like (notice the browser headers are present):

This is what EOP requests look like (notice how no headers are sent so easy to distinguish from legitimate traffic):


  • 15/01/2017 – First reported
  • 20/01/2017 – I requested an update
  • 01/02/2017 – I requested an update
  • 07/01/2017 – MSRC claimed a ‘bug’ caused my replies to be missed. MSRC asked for some further clarifications which I addressed
  • 15/02/2017 – I requested an update
  • 23/02/2017 – I notified MSRC that I will be publishing this article on the 27th
  • 24/02/2017 – I was asked to delay the publishing of this post and notified that a new MSRC case was created
  • 15/03/2017 – MSRC advised that the issue doesn’t “meet the security servicing bug bar” and that they are closing the case
  • 16/03/2017 – Published

Ninite Appsheet – Patching Just Got Easier

Ninite has long been my number one tool for deploying, updating and removing popular 3rd party applications… I especially enjoy the feeling of removing Flash and Java from any where I can get my hands on 🙂

Up until now, Ninite has been completely agentless. You get a simple light-weight .exe which you can either run by double clicking or by using switches in the CLI (NinitePro.exe).
To automate the process of deploying or updating applications you previously had to script something together and schedule the .exe to run at a schedule. I don’t mean to make it sound like scripting it to make it work in your environment is difficult – it really isn’t but sometimes it can be tricky to implement for machines that are either not on the domain or simply not on the premises to receive those updates.

Please note that these new features are designed for business/enterprise environments so only available for Ninite Pro users.

Continue reading Ninite Appsheet – Patching Just Got Easier

CUCM SNMP Active Call Stats

So the title is a bit misleading but I figured it’s what most people will search if they want to get active call stats from their Cisco Unified Communications infrastructure – it’s certainly what I searched when I wanted to achieve the same thing. Turns out you can only get active call stats via SNMP from the Cisco Unified Border Element (CUBE).

I will show you how you can get the active incoming/outgoing and total external calls and how you can use these in PRTG to get a nice graph going of Active Calls Vs Bandwidth.

What you won’t see is the number of internal calls as we are only monitoring the CUBE. Internal calls don’t touch the CUBE and as far as my research went, the CUCM server doesn’t keep track of active calls… at least not without some manipulation of OIDs.

Continue reading CUCM SNMP Active Call Stats

The State of Telnet on the Internet – My Findings

This is my first in, I hope, a series of posts about the ‘state of things on the internet’ along with my findings and anything interesting I may have come across along the way.

This post will be about the state of Telnet (Port 23) on the internet from the perspective of a single internet-scanning host (read more in the methodologies section below). I’ll be going through some statistics including: top countries, top brands and/or firmware and lastly, an analysis on banner responses.

Continue reading The State of Telnet on the Internet – My Findings

Office 2016 Network Shortcuts Save Issue

This is a quick post to help sysadmins facing save issues with Microsoft Office 2016 – specifically the action of saving to the Documents folder and being redirected to Network Shortcuts instead. This issue may be present in Office 2013 too but it’s not what I have deployed in my environment so cannot say for sure if the same symptoms occur on 2013.

Continue reading Office 2016 Network Shortcuts Save Issue