Zerodium Raises Outlook Zero-Day Payout to $400K

It was announced on the same day that Trustwave SpiderLabs revealed a new approach to get around Outlook security and send malicious links to victims. was reported by threatpost. Zerodium, an exploit acquisition platform, has temporarily boosted its prize for zero-click remote code executions in Microsoft Outlook from $250,000 to $400,000. These vulnerabilities can attack a target without the user having to do anything, such as read an email or open an attachment. Government entities especially in North America and Europe are Zerodium’s customers. “We are temporarily increasing our payout for Microsoft Outlook RCEs from $250,000 to $400,000. We are looking for zero-click exploits leading to remote code execution when receiving/downloading emails in Outlook, without requiring any user interaction such as reading the malicious email message or opening an attachment. Exploits relying on opening/reading an email may be acquired for a lower reward.” –Zerodium https://twitter.com/Zerodium/status/1486762616101945357 The reward for Microsoft Outlook zero-click remote code executions (RCEs) has been doubled from $250,000 to $400,000. Zerodium, an exploit acquisition platform, has boosted its payout for Microsoft Outlook zero-click remote code executions (RCEs) from $250,000 to $400,000. The increase is a temporary tactic to achieve zero-click attacks, which can attack computers and networks without the need for human input. On its page for limited-time bug bounties, Zerodium explains the change.

Some assaults, such as phishing scams, necessitate user interaction, such as opening an email or email attachment. Because zero-click attacks don’t require user engagement, they’re more harmful. Zerodium is a security firm that focuses on zero-day exploits and research. Its clients are mostly government agencies in North America and Europe. The higher compensation for Microsoft Outlook zero-click RCEs started on January 27, 2022, although there is no set end date yet. Trustwave talks of CVE-2020-0696 bypasses. Links using URI schemes will trigger a warning box, and ”:/” characters will be removed when transmitted to users, according to the CVE-2020-0696 fix. However, that change did not completely resolve the initial problem, and I later discovered a workaround. The patch will strip ”:/ ” from the link and transmit it to the user as http://maliciouslink, circumventing Microsoft ATP Safelink and other Email security programs, with the new exploit vector http:/://maliciouslink. When the victim hits the link, it is automatically changed to http://maliciouslink and opened. This flaw can be used to compromise Outlook clients on both Windows and Mac OS X.