A recently discovered exploit, named baseStriker, is a type of attack mechanism which works to bypass URL and phishing detection technologies when an email message is scanned. The exploit accomplishes this by splitting the malicious URL into two parts using the HTML <base> tag in conjunction with the standard <href> tag.
While this mechanism can circumvent some other vendor’s detection technologies, Symantec Email Security.Cloud and Symantec Messaging Gateway within the antispam detection layers scan the <base href=""> URL today to drive a conviction, aside all the other indicators in the message. These run through our different protection layers to determine if the message is spam, phish or malicious.
Symantec Email.cloud can extract full URL from email HTML body and HTML attachments and scan the URLs. For Symantec Click-Time Protection, it does not re-write these URLs today and our engineering team is investigating this.
For Messaging gateway, while it does not specifically combine <base href> and <href> tags to analyze the full URL, it has the ability to identify the methodology as an indicator with other intelligence via detections. Also, Messaging gateway customers can disable clickable URLs today, ideally in combination with conditions to identify emails that contain the base tag to take the necessary preventive actions.
At this point, we have not seen any email attacks leveraging baseStriker against our solutions. We are actively monitoring the threat landscape for this attack to supplement with any quick rules and signatures as required. This post will be updated with any new information when it becomes available.