[OWASP-Switzerland] Hidden inbox rules in MS Exchange... or how to persistently stealyour messages

Rob Schneider robert.schneider at owasp.org
Mon Nov 5 18:27:25 UTC 2018

Hi folks!
We offer you the opportunity to enjoy and benefit from the upcoming OWASP Switzerland meeting sponsered by Compass Security.

In recent investigations, Compass recognized a raise in popularity for attackers to compromise Microsoft Exchange credentials. As one of the first steps after having obtained the credentials (most commonly through phishing), attackers created malicious inbox rules to copy all in- and outgoing emails of their victim. The attacker's goal hereby was to guarantee access to emails even after the compromised credentials were changed by the victim.

In this talk we present an undocumented method used to hide such inbox rules. These hidden rules remain functional but are no longer visible in email clients and Exchange admin tools (On-premise as well as Office365 environments). Finally, we discuss the effectiveness of the steps recommended by Microsoft to recover compromised accounts.

Damian Pfammatter, Compass Security

For futher information and to be able to attend this event, please register via Meetup: https://www.meetup.com/de-DE/OWASPSwitzerland/events/256060882/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-switzerland/attachments/20181105/68d06c64/attachment.html>

More information about the Owasp-Switzerland mailing list