*This article originally appeared here on LinkedIn*
During a penetration testing project, I was working on finding the weak spots in the IT system of the company and finding the best solutions to patch them up.
The client had most of the traditional security solutions such as firewalls and external penetration was not useful / efficient.
But when we did an internal penetration test I saw something very disturbing in the way that Outlook works, and how due to poor design in Outlook’s security warning it’s easy to obtain a user’s password.
The same method allowed us to obtain outlook password outside the company perimeter as well
· Windows 7 Pro computers
o Tested on Windows 10 Pro as well
· Outlook 2016 connected to Microsoft 365
o Tested on outlook 2013 connected to Microsoft 365 as well
We used a classic “Men in the Middle Attack” between the client and the gateway, see Diagram 1.
Outlook’s behavior was very problematic,
Once we started poising the ARP the following Prompt, (See prompt 1) was shown to the user:
The advanced users who decided to push the “View Certificate” have seen the following screen,(prompt 2.)
The “injected certificate” is an outlook.com which is not trusted but to most users outlook.com is “good enough”
Most of the users didn’t give this small prompt a lot of thought and pressed YES to proceed:
This caused outlook to send information on a non-encrypted method and any sniffing tool instantly showed us the Outlook password (Which is also the main active directory computer/domain login)
This exercise was done within the company network, later we decided to follow one of the users to a meeting at a coffee shop where is connected to a public WIFI which we have also joined, and we managed to do the same process outside the company perimeter.
1. Outlook’s security prompt is very small, hardly noticeable, none alarming and doesn’t deliver the severity of the issue
- Compare it with the prompt the Google Chrome provides when you try to send information at a non-encrypted method – the Google Chrome is “Scary” and makes the users stop and think
2. Most of the users don’t understand the security prompt at all
3. Most of the users will automatically press yes on this prompt to continue working
Is it a user behavior error – No! – the security prompt is poorly showed that only IT users are expected to understand the severity
Resolving the issue:
1. We implemented a GPO settings that doesn’t allow outlook to work on non-secure layer at all
2. We did user awareness cyber security training to show to the users how risky this little prompt is.
3. We reported this vulnerability was reported to Microsoft – Microsoft responded that it isn’t a real vulnerability because the user gets a prompt!, i think the prompt itself is not designed correctly and allows a big room for user error.
How to protect your outlook against this type of attack:
We deal with protecting yourself in our next article on How To Protect Your Password From Hackers
Written by Eli Migdal, CEO of TowerWatch Solutions Ltd (UK) and founder of Migdal Computing Solutions Ltd (Israel)