Security News > 2022 > January > Zerodium Spikes Payout for Zero-Click Outlook Zero-Days

Zerodium has jacked up its offering price for Microsoft Outlook zero-day exploits.

"We are temporarily increasing our payout for Microsoft Outlook RCEs from $250,000 to $400,000. We are looking for zero-click exploits leading to remote code execution when receiving/downloading emails in Outlook, without requiring any user interaction such as reading the malicious email message or opening an attachment. Exploits relying on opening/reading an email may be acquired for a lower reward." -Zerodium.

Similar to the Outlook exploits it's hunting for, Zerodium is looking for zero-click exploits that can achieve RCE in Thunderbird when targets are receiving or downloading emails, all without users having to lift a finger.

Zerodium's newly keen zeal for Outlook exploits came on the same day that Trustwave SpiderLabs published details about a new way to bypass an Outlook security feature to deliver malicious links to victims.

Because of improper hyperlink translation, the initial Outlook security feature bypass allowed an attacker using Outlook for Mac to completely bypass Outlook's email security systems and send a clickable, malicious link - SpiderLabs used the example below - to a victim on Outlook for Windows.

The maliciously crafted link initially only seemed to work if the attacker uses Microsoft Outlook for Mac and their intended victim is on Microsoft Outlook for Windows.

News URL

https://threatpost.com/zerodium-payout-outlook-zero-days/178089/