Attack Targeting Outlook Mail Vacuums a Ton of Credentials

Sophisticated malicious code that infected an Outlook Web application stole nearly all of a large organization’s email passwords.

Cybereason, a security firm, discovered the attack after receiving a call from an unnamed customer that noticed several behavioral oddities in its network. 

Within a few hours, Cybereason found a suspicious file loaded into the customer's Outlook server. While the file contained the same name as a benign file, this one was not digitally signed. Digital signatures denote that a file is original and unaltered or has been approved by Microsoft for use with Windows.

“The attack was carried out for months against an organization with 19,000 endpoints" -- a variety of devices -- "and credentials for more than 11,000 user accounts were sniffed and stolen,” reports Kaspersky Lab.

The sketchy file contained a backdoor, allowing the attackers to come and go as they pleased for a long period of time. Because the file ran on the server, it was able to capture all Web transactions.

“As a result, the attackers behind this advanced persistent threat—the term given to malware campaigns that target a specific organization for months or years—were able to steal the passwords of just about anyone accessing the server,” reports Ars Technica.

Cybereason researchers wrote in a blog post published Monday that the Outlook application was configured in a way that permitted Internet access to the server for remote users.

The setup also let the attackers access the entire organization's domain credentials.