A new technique has been uncovered that enables cybercriminals to bypass Microsoft Outlook’s spam filters and deliver malicious ISO files to unsuspecting users. The method involves hyperlink obfuscation, where malicious links are disguised under seemingly harmless URLs, allowing attackers to distribute malware-laden disk image files directly to victims. This bypass undermines email security systems, particularly Outlook’s native spam filters, making it easier for attackers to reach users’ inboxes undetected. Security researchers have warned that this development exposes organizations to sophisticated phishing campaigns.
The exploitation of ISO files follows previous trends in which attackers used social engineering tactics to trick users into downloading and running malware.
Unlike executable (.exe) files, ISO files are not flagged as inherently dangerous by security systems, making them attractive targets for attackers. These files can contain scripts, ransomware, or spyware, allowing threat actors to compromise user systems. This newly identified bypass, however, targets email defenses, evading filtering systems that would typically quarantine emails with links to high-risk file types like .iso or .exe.
The method works by embedding malicious URLs within HTML links that appear harmless. For example, attackers can disguise a malicious URL under a seemingly safe link that reads like a legitimate security update, such as “https://trusted[.]com/security-update.” In reality, clicking on this link triggers the download of a malicious ISO file from a different location. This trick allows the attackers to bypass Outlook’s spam filters, which fail to analyze the actual URL in the href attribute. Proof-of-concept testing has confirmed that Outlook’s current spam filtering system is unable to detect these hidden threats.
The vulnerability significantly broadens the scope for phishing attacks, as attackers no longer need to rely on compromised websites or secondary payloads. By delivering ISO files directly via email, attackers can bypass real-time URL reputation checks and exploit user trust. Organizations, particularly smaller businesses without advanced email security, are at heightened risk. Researchers have urged Microsoft to update Outlook’s spam filter to analyze href attributes and cross-reference URLs with threat intelligence to mitigate this vulnerability. In the meantime, companies are advised to prioritize endpoint detection and response tools to identify and block malicious ISO file activity.
