October 7, 2015 By Shane Schick 2 min read

Security researchers have discovered a new cybercriminal approach that takes advantage of Microsoft’s webmail server to gain access to corporate systems and potentially steal information.

Webmail Servers Are Vulnerable

Israel-based firm Cybereason outlined the details of its findings, which showed how Outlook Web Access (OWA), the webmail server associated with Microsoft’s popular email client, was the target of at least one incident involving an unnamed public service organization in the U.S. The attackers were able to exploit the fact that OWA works as a sort of middleman between the Internet and internal systems by uploading a DLL file that opened a backdoor when users authenticated into the system. Cybercriminals were then able to spread malware every time the server restarted. This could provide cybercriminals with access to passwords and other critical data, SecurityWeek reported.

As more employees work outside the office via mobile devices, many companies are increasingly looking at OWA, Gmail and similar programs as a way to enable remote access to email. However, the Microsoft webmail server is unique in the way it sits between the public-facing Internet and a business’s IT systems, SC Magazine explained.

Depending on the configuration and the number of endpoints across which scripts have been put into place, cybercriminals can gain domain credentials that give them disturbingly deep access over user identities. In this case, Cybereason suggested the organization it profiled had been compromised for months.

Cybercriminal Workarounds

Of course, the OWA webmail server isn’t the only such system prone to attack. Just a few months ago, The Register reported on how researchers discovered a man-in-the-middle vulnerability in a Samsung smart fridge, which could potentially steal Gmail logins. Given that few organizations will want to go back to the days when you could only access messages at your desk, however, IT departments will need to come up with ways to better protect corporate users.

Infosecurity Magazine offered a few helpful suggestions. First, organizations need to make sure all endpoints, including not only webmail servers but databases and Active Directory servers, are monitored regularly for anomalies. Second, CISOs and their teams could have a process in place to respond to any suspicious activity and verify whether, for example, a DLL file is legitimate or not. Finally, they should recognize that advanced persistent threats like this one will likely be outside the norm of what they’ve experienced in the past. As the Cybereason research proves, cybercriminals seem to be finding new ways into the network every day.

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today