Security researchers have discovered an advanced backdoor malware operating in the wild targeting organizations using Microsoft Outlook Web Access (OWA) to steal e-mail passwords and credentials.

Researchers from Cybereason, a security firm, have discovered a malicious OWA module that targets the Outlook Web App, Microsoft’s web-based emailing service to steal user credentials including usernames and passwords, according to a blog post (PDF) published by the firm.

The researchers claim that the webmail server APT (Advanced Persistent Threat) enables attackers to patiently steal passwords over a stretch of time.

A Malware Targeting Corporations’ Email Systems

Researchers at Cybereason discovered the malware after being notified of suspicious activity and ‘behavioral abnormalities’ by an unnamed customer whose environment contained 19,000 endpoints.

Within a few hours of looking into it, the researchers discovered a suspicious, unsigned DLL file loaded onto the OWA server. OWA servers typically accept and load signed DLLs, giving the security firm reason for suspicion.

Sure enough, the OWAAUTH.dll file running on the server contained a backdoor. Since it was being executed on the server, the APT had the means to retrieve all encrypted (HTTPS-protected) server requests after their decryption. Quite simply, the malicious operators behind the backdoor stole passwords of any accounts accessing the server.

Related article: Microsoft Offers Users a New ‘Privacy Dashboard’

The researchers discovered a total of 11,000 pairs of usernames and passwords that “essentially gave hackers complete access to every identity and, therefore, every asset in the organization.”

An excerpt from the blog post explaining the threat read:

“Contrary to other web servers that typically have only a web interface, OWA is unique: it is a critical internal infrastructure that also faces the Internet, making it an intermediary between the internal, allegedly protected DMZ, and the web. “The customer was using OWA to enable remote user access to Outlook. This configuration of OWA created an ideal attack platform because the server was exposed both internally and externally.”

An OWA, situated within a company’s firewall acts as a bridge between internet (open and public) and a company’s internal resource (located within the company’s firewall). The customer was also using OWA to enable remote system access to Outlook. Altogether, the OWA was seen as a resource for attackers to gain access to the entire organization’s domain credentials.

“The hackers, in this case, managed to gain a foothold into a highly strategic asset: the OWA server,” Cybereason researchers said.

“Almost by definition, OWA requires organizations to define a relatively lax set of restrictions; and in this case, OWA was configured in a way that allowed Internet-facing access to the server. “This enabled the hackers to establish persistent control over the entire organization’s environment without being detected for a period of several months.”