Microsoft has patched a zero-day flaw in its Hotmail email service which hackers were using to steal emails and details of the victims' contacts, according to researchers at security firm Trend Micro.
In a Monday blog post, threat response engineer Karl Dominguez explained that the victim needs only to open the specially crafted message for it to execute an embedded script.
The URL to which the script connects varies according to the Hotmail user's ID and a pre-defined number, indicating that the attacks are highly targeted, Dominguez said.
The URL then leads to another script which triggers a request which is sent to the Hotmail server, forwarding all the victim's emails to the hacker's email address.
"The attack takes advantage of a script or a CSS filtering mechanism bug in Hotmail. Microsoft has already taken action and has updated Hotmail to fix the bug," said Dominguez.
"The malicious scripts and the URL related to this attack are already being detected and blocked by the Trend Micro Smart Protection Network file and web reputation technologies."
Dominguez added that Trend Micro researchers found that Hotmail's filtering engine actually helps the cyber criminals in this attack.
It does so by working on the embedded script contained in the targeted malicious emails to convert the script into two separate lines for further rendering in the web browser's CSS engine.
"This allows the cyber criminals to turn the script into something that allows them to run arbitrary commands in the current Hotmail log-in session," he explained.
Rik Ferguson, Trend Micro director of security research, arged that the incident proves cyber criminals are looking to get a better return on their investment.
"The active exploits of these vulnerabilities demonstrate that criminals no longer solely rely on attacking individual users and computers," he added.
"The best advice for Hotmail users would be to not open unexpected emails from senders they aren't familiar with, not just in this case but as a matter of best practice."
Spaces are filling up fast
HP ZBook x2 offers 32GB RAM, M.2 SSD with up to 2TB storage and Nvidia Quadro GPU
Laptops should be able to offer true all-day working, and some
CGN has created an "online capability gap" between cyber criminals and law enforcement, says Europol
ISPs use Carrier Grade NAT to share IP addresses amongst multiple users