0

I understand an attacker could perform MiTM on Rogue Access Points and capture cleartext traffic between a web client and server. However, is it possible that an attacker could do similar MiTM attacks on thick clients such as Outlook If so, how could they insert themselves in the middle?

sxmad
  • 115
  • 5
  • It'd be the same as MITM on HTTP. E-mail is worse in that even when you do use secure transport some nodes will fallback to non-secure transmission if it's not supported/available. – pcalkins Aug 12 '22 at 21:23
  • Could you explain a bit more? My company is analyzing the risk of outlook client being compromised on unsafe open public wifi. My understanding is outlook client communication is encrypted end to end. Under what circumstances could it fall back to non-secure transmission? – sxmad Aug 12 '22 at 21:57
  • Are you talking about Outlook program on Windows or Outlook app on Android or iOS? It also depends on what mail server respectively what authentication system is used by the mail server. – Robert Aug 12 '22 at 22:38
  • 1
    See here: https://techcommunity.microsoft.com/t5/exchange-team-blog/understanding-email-scenarios-if-tls-versions-cannot-be-agreed/ba-p/2065089 – pcalkins Aug 12 '22 at 22:47
  • thanks @pcalkins – sxmad Aug 14 '22 at 17:16

1 Answers1

3

MITM attacks are not restricted to web based applications, even though many frameworks focus on these since web makes up the majority of traffic. MITM attacks are also not restricted to sniffing plain text, but can hijack and decrypt encrypted traffic if no proper certificate validation is done.

In case of MS Outlook the risk is low, as long as the configuration enforces encryption for protocols like IMAP, POP3 and SMTP and also enforces strict certificate validation. There is of course the risk that users might fiddle with the settings in case of connectivity problems, which result from open WiFi networks having captive portals or blocking specific communication. And there is of course still a risk outside of MS Outlook communication itself, i.e. normal web browsing done on the same machine might by intercepted and manipulated in order to compromise the machine.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks for the answer. Which settings could a user be forced to fiddle with on Outlook client? I understand you could force a user to download rogue SSL cert using captive portals and decrypt the web traffic that way. However, I'm unable to imagine a equivalent attack for the thick client. – sxmad Aug 14 '22 at 17:15
  • *"Which settings could a user be forced to fiddle with on Outlook client?"* - if and how this is possible depends the available settings on the exact client (Android, iOS, Windows are different - maybe even different versions of same client expose different options) and for specific connectivity to the mail server (IMAP/SMTP, MAPI over HTTP, ...) – Steffen Ullrich Aug 14 '22 at 17:24