A newly discovered malware targets Microsoft's Outlook Web App, the company's email client.
The news was unveiled by security firm Cybereason, which said the advanced persistent threat (APT) can enable patient attackers to steal an organisation's email passwords over time.
By using this approach, the hackers managed to collect and retain ownership over a large set of credentials, allowing them to maintain persistent control over the organization's environment, Cybereason says.
The company found the malware after an organisation’s IT team spotted "behavioural abnormalities" in its email servers.
The security firm goes on explaining the malware: “The Cybereason platform found a suspicious DLL loaded into the Outlook Web App (OWA) server (a webmail component of Microsoft Exchange Server), with several interesting characteristics. Although it had the same name as another benign DLL, the suspicious DLL went unsigned and was loaded from a different directory. Since OWA servers typically load only legitimately signed DLLs, the Cybereason behavioural engine immediately elevated this event to a suspicion."
Cybereason says the attack is important, as whoever has access to the OWA server, owns the organisation’s domain credentials:
“The attack on OWA is significant, claims Cybereason, because OWA authentication is based on domain credentials. "Whoever gains access to the OWA server becomes the owner of the entire organisation's domain credentials," it says.
"The hackers installed a back-doored malicious OWAAUTH.DLL which was used by OWA as part of the authentication mechanism, and was responsible for authenticating users against the Active Directory (A/D) server used in the environment. In addition, the malicious OWAAUTH.DLL also installed an ISAPI filter into the IIS server, and was filtering HTTP requests.
"This enabled the hackers to get all requests in cleartext after SSL/TLS decryption. The malware replaced the OWAAUTH by installing an IIS filter in the registry, which enabled the malware to automatically load and persist on every subsequent server restart," warns Cybereason.