This part makes me take notice: " OWA was configured in a way that allowed internet-facing access to the server"
My gut says they left the box open at the OS level to the internet and the OWA injection was the killing blow, not the original point of attack. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, October 7, 2015 11:36 AM To: [email protected]; ntsysadm <[email protected]> Subject: RE: [Exchange] So, how did they plant the malware? We've been discussing this on a couple of closed lists. Long-story short - insufficient data at this time. The wording of the story is also of some concern. "Outlook mailserver"? Not Exchange? Also, how was the DLL injected? Was the server already compromised? If so, game over and it isn't OWA's fault. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Wednesday, October 7, 2015 11:32 AM To: [email protected]; ntsysadm Subject: [Exchange] So, how did they plant the malware? The article is short on details, and so is the security firm's PDF. Very scary, but nothing in the way of actionable intelligence, AFAICT http://arstechnica.com/security/2015/10/new-outlook-mailserver-attack-steals-massive-number-of-passwords/
