Outlook Web App (OWA) Auth Credentials Targeted by Attackers
A recent attack on a midsize public services company showed how attackers were able to use malware to steal more than 11k sets of authentication credentials via the company's Outlook Web App (OWA), a Microsoft-based Internet-facing webmail server.
Cybereason’s lab analysis report of their client’s breach revealed a suspicious DLL file loaded on their Outlook Web App (OWA) server, as reported by SecurityWeek.com.
A DLL is a dynamic link library containing code and data that provides a lot of the functionality of a program running on Windows operating systems, in addition to reducing code duplication, optimizing memory usage and making it easier to apply updates to programs.
This suspicious DLL was unsigned, and loaded from a different directory. As an intermediary application between the Internet and the internal networks, OWA is the perfect target for attackers, as they can use the app to get remote user access to the Outlook server.
Additionally, whoever gains access to the OWA server becomes the owner of the entire organization’s domain credentials, according to Cybereason.
The malicious DLL file was used as part of OWA’s authentication mechanism, responsible for authenticating users against their Active Directory server, and they installed a filter for HTTP requests. This allowed attackers to get requests in cleartext after being decrypted.
The attackers also stole OWA authentication tokens from the company, that is, the passwords of every user that logged into OWA, which amounted to more than 11k sets of credentials. That allowed them to log into OWA as legitimate users, moving laterally without being detected for months, as well as allowing them to effectively write and execute code on the OWA server.
OWA has long been targeted by attackers as a way to steal sensitive information from organizations. Last year, an email phishing campaign targeted military agencies, embassies, defense contractors and international media outlets that use Office 365’s Outlook Web App.
Attackers sent email attachments with SEDNIT malware that worked as backdoors to log keystrokes, steal system information and send stolen data to remote command and control servers, as Trend Micro reported.
Organizations can protect their users from these types of attacks against OWA authentication by implementing security technology like two-factor authentication. Duo Security provides two-factor authentication protection for Microsoft apps, including newly added support for Office 365 (both Web Apps and Outlook), Active Directory and Azure AD.
Two-factor authentication ensures that even if an attacker steals your primary credentials (username and password) they can’t access your accounts without using your secondary form of authentication (an authentication mobile app on your smartphone or a hardware token).
Learn more about protecting remote access entry points to your networks and servers with The Essential Guide to Securing Remote Access, explains VPN and cloud security concerns, including how to meet compliance regulations, secure remote access and use two-factor authentication to avoid a data breach.