A New Persistent Attack Methodology Targeting Microsoft OWA

Post by: lital

Cybereason Labs Senior Researcher Yoav Orot together with Cybereason CTO and Co-Founder Yonatan Striem-Amit published today their analysis of a real and unique APT technique that was recently detected by the Cybereason platform in one of our customer’s environments.

The victim, a Cybereason POC customer, suspected that it had an infected server due to several behavioral abnormalities spotted by its security team. The company reached out to Cybereason which deployed the Cybereason platform across the customer’s entire environment of 19,000 endpoints.

Within several hours, the Cybereason platform detected a unique attack. The attack targeted Microsoft Outlook Web Application (OWA), an internet-facing webmail server in a way that enabled the attackers to record authentication credentials and be provided with complete backdoor capabilities to the victim’s environment. By using this approach, the hackers managed to collect and retain ownership over a large set of credentials, allowing them to maintain persistent control over the organization’s environment.

Read the research report to find out:

  • how the hackers backdoored OWA, enabling them to collect and retain ownership over a large set of credentials
  • how the hackers maintained persistent control over the organization’s environment through the OWA control
  • how Cybereason detected and helped contain the attack

This case clearly demonstrates the ability of Cybereason to detect complex cyber-attacks that use new-to-the-world attack techniques. To learn how Cybereason can help your organization detect and respond to APTs, schedule a demo today.