Microsoft Outlook Desktop has an unpatched vulnerability that would allow a successful attacker to configure a persistent mail forwarder.
Trustwave reported the vulnerability to Microsoft, and said the vendor response is that there’s no fix and no timeline for a fix.
“There is an exploitation method that can automatically forward emails CC’d to external addresses via an Outlook Desktop rule, even when this action is prevented on the corporate Exchange server," Trustwave said.
An attacker would need backdoor access to their victim, so they can access Outlook Desktop and create a rule adding the exfiltration address to the Outlook contacts list, and create the rule copying outgoing messages to that address.
The same vulnerability could be used by insiders to pass information to others.
“It also permits legitimate non-breached account owners to bypass any Exchange rules prohibiting emails from being auto forwarded to external addresses”, Trustwave said.
“If the attack gets discovered and the system cleaned up from the back door the attacker will still receive confidential emails to his inbox unless the IR team knows to look at the CC rules”, Trustwave said.
“This issue cannot be solved by any existing measures, including by configuring the Mail Flow rules settings in Exchange."
_(22).jpg&h=140&w=231&c=1&s=0)
_(26).jpg&w=100&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
