Wily Attack on Microsoft Outlook Is Especially Worrying Because Everyone Uses Outlook

Using Outlook before this vulnerability was even disclosed. (Possibly a dramatization.)

Microsoft’s Outlook email service isn’t exactly, how do I put this, a favorite. Most people end up using it for work email at some point, but no one seems to really like it. As Gizmodo editor-in-chief Annalee Newitz put it in May, “Microsoft Outlook has the distinction of being one of the world’s most widely-used email and calendaring systems—and the one that arouses the most profound indifference in its users.” So when a security issue crops up in Outlook, you might be tempted to just ignore it. But the whole ubiquity thing makes that really hard to do.

Take, for example, a new attack on the Outlook Web Application (Outlook’s browser access) spotted by Ars Technica. A report released Monday from security firm Cybereason outlines a malware attack that sits on the Web app server and collects login credentials from a particular company or organization. Cybereason discovered the exploit after one of its clients noticed unusual activity on its network and had Cybereason scan its 19,000 endpoints (devices like laptops, smartphones, or any Internet-connected equipment).

The firm concluded that malware affecting the client had been strategically placed on a particular component of Microsoft’s Exchange Server, which deals with Outlook email and calendar data. The malware offered a backdoor to decrypted HTTPS requests, exposing passwords and other data. Cybereason notes that its client was using the Outlook Web Application to allow for remote access (a common capability that allows employees to keep up with work email).

Cybereason explains:

Contrary to other web servers that typically have only a web interface, OWA is unique: it is a critical internal infrastructure that also faces the Internet. … This configuration of OWA created an ideal attack platform because the server was exposed both internally and externally. Moreover, because OWA authentication is based on domain credentials, whoever gains access to the OWA server becomes the owner of the entire organization’s domain credentials. [Emphasis theirs.]

Outlook may be boring and corporate, but that’s exactly what makes it a perfect target for a persistent attack over a long period of time: Tons of high-profile companies use it. Cybereason is just presenting one case study, but it’s not unreasonable to think that such an effective attack is already in use against other organizations as well, or will be. Companies that use a third-party credential manager (for example, Slate uses Okta) are probably not vulnerable to this attack. I reached out to Microsoft for comment and will update with any response.

Update, October 6, 2015, 11 a.m.: A Microsoft spokesperson says, “The report conveniently skips over the important details of how an attacker might ‘gain a foothold into a highly strategic asset’ if a system is properly managed, secured, and up to date. For all types of critical servers and applications, we recommend IT administrators use the latest products and services, in combination with industry best practices for IT management.” Of course it probably wouldn’t be in Microsoft’s interest for Cybereason to publicly disclose that, but the company seems to be hoping that the attack exploits a vulnerability that was previously patched.