As organizations look for workable ways to accommodate an increasingly mobile work force with remote access to email via internet and personal devices, hackers are using weaknesses in two of the most common email programs to breach internal networks. A large portion of companies are vulnerable to this attack, which exploits weaknesses in Microsoft Exchange and Outlook Web Access (OWA) and is relatively easy to execute. Protective measures should be taken immediately.
A typical attack might begin with a password-spraying (brute force) attack on several email addresses that may yield, say, one valid user account. In theory, the limited network access allowed by Exchange and OWA should protect the network from further intrusion. In reality, however, once a hacker has gained access to a valid email account, it is easy to send and execute malware that creates a back door from the communications server to the corporate network.
Organizations are likely vulnerable if they do not use multi-factor authentication (MFA) on OWA and are running Outlook and Exchange versions 2016 and older. Lockouts triggered by limits on password guessing are not adequate protection. Hackers commonly evade lockouts by testing commonly used passwords over multiple accounts, or using malware to log user keystrokes.
Organizations should immediately review their Exchange and email configuration to determine whether they are vulnerable to this issue. Many are likely vulnerable and therefore should investigate and implement controls to mitigate the associated risk. Protiviti recommends several options to address this problem. These options are intended as guidance only, as every organization may need to implement one or more of the following strategies depending on business constraints and technical limitations:
- Enforce MFA on OWA and Office365.
- Allow corporate email to be accessed only via an established virtual private network (VPN) connection, and do not allow OWA or Office 365 web access.
- Research existing mobile device management (MDM) solutions and determine whether they can be leveraged to combat risk from Autodiscover being exposed to the internet and still allow mobile devices to receive email securely.
- Disable the Outlook client side rules from executing scripts or commands.
Recent breaches continue to reinforce the prevailing wisdom that it is not a matter of if you will breached, but when. In addition to preventative measures such as those outlined above, organizations must work on maturing detective controls and response procedures. Activities that simulate common attack patterns should be carried out within organizations to determine whether their defenses can detect and respond effectively.
For a more detailed analysis of this important security concern, download our report here.