October 7, 2015 By Shane Schick 2 min read

Security researchers have discovered a new cybercriminal approach that takes advantage of Microsoft’s webmail server to gain access to corporate systems and potentially steal information.

Webmail Servers Are Vulnerable

Israel-based firm Cybereason outlined the details of its findings, which showed how Outlook Web Access (OWA), the webmail server associated with Microsoft’s popular email client, was the target of at least one incident involving an unnamed public service organization in the U.S. The attackers were able to exploit the fact that OWA works as a sort of middleman between the Internet and internal systems by uploading a DLL file that opened a backdoor when users authenticated into the system. Cybercriminals were then able to spread malware every time the server restarted. This could provide cybercriminals with access to passwords and other critical data, SecurityWeek reported.

As more employees work outside the office via mobile devices, many companies are increasingly looking at OWA, Gmail and similar programs as a way to enable remote access to email. However, the Microsoft webmail server is unique in the way it sits between the public-facing Internet and a business’s IT systems, SC Magazine explained.

Depending on the configuration and the number of endpoints across which scripts have been put into place, cybercriminals can gain domain credentials that give them disturbingly deep access over user identities. In this case, Cybereason suggested the organization it profiled had been compromised for months.

Cybercriminal Workarounds

Of course, the OWA webmail server isn’t the only such system prone to attack. Just a few months ago, The Register reported on how researchers discovered a man-in-the-middle vulnerability in a Samsung smart fridge, which could potentially steal Gmail logins. Given that few organizations will want to go back to the days when you could only access messages at your desk, however, IT departments will need to come up with ways to better protect corporate users.

Infosecurity Magazine offered a few helpful suggestions. First, organizations need to make sure all endpoints, including not only webmail servers but databases and Active Directory servers, are monitored regularly for anomalies. Second, CISOs and their teams could have a process in place to respond to any suspicious activity and verify whether, for example, a DLL file is legitimate or not. Finally, they should recognize that advanced persistent threats like this one will likely be outside the norm of what they’ve experienced in the past. As the Cybereason research proves, cybercriminals seem to be finding new ways into the network every day.

More from

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today