Outlook Web Access, Exchange 2013, Malware

Question

we have an exchange 2013 server and most users are all use OWA. The other day a user openend an email with an .doc attachment using OWA and the local antivirus automatically quarantined it and stopped any activity. My concern is whenerver or not the opening of this email in OWA may have infected the exchange database..? Thanks

ewwhite · Accepted Answer · 2016-07-11T11:14:25.850

6

No, opening the message through OWA wouldn't have any impact on your Exchange database.

Are you using any sort of spam filtering solution in your environment? If not, you should be... Basically, you want to filter out this type of thing before it can even be opened by your users.

edited Jul 11 '16 at 11:14

answered Jul 10 '16 at 23:20

ewwhite

194,921
91
434
799

ewwhite - Thanks, we are controlling entry points[Harware DPI] and border level[Software Spam Filtering] but not within Exchange Servers / Mailboxes. So I assume this exploit only applies to 'local users disclosure of information' whilst sending to other exchange servers within the organisation or to another exchange based organisation using OWA and has no impact to the DB directly: https://support.microsoft.com/en-us/kb/3150501 @Sembee - +1 – dqnet Jul 11 '16 at 14:04
@serverimeco I think you're well-protected then. – ewwhite Jul 11 '16 at 14:14

score -3 · Answer 2 · answered Jul 12 '16 at 01:08

https://technet.microsoft.com/en-us/library/security/ms15-026.aspx

The most severe of the vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an instant messenger or email message that takes them to the attacker's website and then convince them to click the specially crafted URL.

Last I heard .doc files can contain VBA. VBA such as this:

Option Explicit
Private Declare Function ShellExecute _
  Lib "shell32.dll" Alias "ShellExecuteA" ( _
  ByVal hWnd As Long, _
  ByVal Operation As String, _
  ByVal Filename As String, _
  Optional ByVal Parameters As String, _
  Optional ByVal Directory As String, _
  Optional ByVal WindowStyle As Long = vbMinimizedFocus _
  ) As Long

Public Sub OpenUrl()

    Dim lSuccess As Long
    lSuccess = ShellExecute(0, "Open", "www.goodbyedatabase.com")

End Sub

This would require being directed to OWA site in which the .doc that was opened did not do. — dqnet, Jul 12 '16 at 11:24

Outlook Web Access, Exchange 2013, Malware

2 Answers2