This blog post describes a simple phishing attack covered in today's webcast. The goal is to create a fake front-end to an organization's Outlook Web Access portal and convince users to login through this portal. In the course of an authorized security assessment this type of attack provides an initial foot in the door to the target organization and takes few resources to setup.

This technique relies on the following steps:

  • Clone the target's existing OWA site to match graphics and versions
  • Register a look-alike domain (mail.example.com -> mailexample.com)
    • Gandi.net even provides free SSL certificates as part of COM registration
    • IDN-style names can make this even harder to identify
  • Rewrite the OWA HTML to change the links/images
    • Point the form POST to the real OWA portal
  • Modify flogon.js to log prior to re-posting to the real OWA

The result is a site that looks like the original and acts like the original. A bad password takes the user to the real site with the expected error and a correct password takes them to the real site and logs them in. Microsoft could mitigate this by adding CSRF tokens to the form authentication template in OWA. This basic technique was used with both Exchange 2007 and Exchange 2010 OWA installations.

To convince users to access the mis-named site, I typically craft an email with a subject like "Welcome to Outlook Web Access" - pasting in a typical "enrollment" email, linking to the fake portal (with the displayed link pointing to the real portal).Telling the user that they have 24 hours to access the portal to keep their account active may help speed things along as well.

If you conduct this type of phishing attack for another organization, the friendly thing to do is transfer the domain to their IT staff after the conclusion of the test. At the least, it takes a potential phishing domain off a list that a real attacker could draw from.

Happy (legal) phishing,

-HD