A malicious Internet Information Services (IIS) module is turning Outlook on the web into a tool for stealing credentials and a remote access panel. Unknown actors have used the module, which our researchers call OWOWA, in targeted attacks.
Why Outlook on the web attracts attackers
Outlook on the web (previously known as Exchange Web Connect, Outlook Web Access, and Outlook Web App, or simply OWA) is a Web-based interface for accessing Microsoft’s Personal Information Manager service. The app is deployed on Web servers running IIS.
Many companies use it to provide employees with remote access to corporate mailboxes and calendars without having to install a dedicated client. There are several methods of implementing Outlook on the web, one of which involves using Exchange Server on site, which is what cybercriminals are drawn to. In theory, gaining control of this app gives them access to all corporate correspondence, along with endless opportunities to expand their attack on the infrastructure and launch additional BEC campaigns.
How OWOWA works
OWOWA loads on compromised IIS Web servers as a module for all compatible apps, but its purpose is to intercept credentials entered into OWA. The malware checks requests and responses on Outlook on the Web login page, and if it sees a user has entered credentials and received an authentication token in response, it writes the username and password to a file (in encrypted form).
In addition, OWOWA allows attackers to control its functionality directly through the same authentication form. By entering certain commands into the username and password fields, an attacker can retrieve the harvested information, delete the log file, or execute arbitrary commands on the compromised server through PowerShell.
For a more detailed technical description of the module with indicators of compromise, see Securelist’s post.
Who are the victims of OWOWA attacks?
Our experts detected OWOWA-based attacks on servers in several Asian countries: Malaysia, Mongolia, Indonesia, and the Philippines. However, our experts have reason to believe the cybercriminals are also interested in organizations in Europe.
The majority of targets were government agencies, with at least one being a transport company (also state-owned).
How to guard against OWOWA
You can use the appcmd.exe command — or the regular IIS configuration tool — to detect the malicious OWOWA module (or any other third-party IIS module) on the IIS Web server. Keep in mind, however, that any Internet-facing server, like any computer, needs protection.