The baseStriker attack is a mechanism by which URL and phishing detection may be bypassed when an email message is scanned by splitting the malicious URL into two parts using the HTML <base> tag in conjunction with the standard <href> tag.
Messaging Gateway (SMG) scans the base href during spam and phishing detection to drive a conviction in addition to passing the message through different protection layers for spam, phish, and malware detection.
SMG does not specifically combine the contents of the base tag with URLs in the message but does use the methodology behind baseStriker as a phishing or spam indicator for use with other intelligence and heuristics. SMG can also disable clickable URLs or rewrite them for Threat Isolation.
At the time of this writing Symantec has not seen email attacks leveraging the baseStriker technique. We continue to monitor the threat landscape for this attack and will supplement with quick rules and filtering as required.
Disabling Clickable URLS / Configuring the SMG Threat Isolation Integration
SMG can disable or rewrite clickable URLs through Content Filtering policies as follows:
Please see Disabling clickable URL's in Messaging Gateway for more information on disabling clickable URLs.