Security News > 2021 > December > New Microsoft Exchange credential stealing malware could be worse than phishing

Kaspersky has discovered a malicious add-on for Microsoft's Internet Information Service web server software that it said is designed to harvest credentials from Outlook Web Access, the webmail client for Exchange and Office 365.
"While looking for potentially malicious implants that targeted Microsoft Exchange servers, we identified a suspicious binary that had been submitted to a multiscanner service in late 2020," Kaspersky said in its announcement of the discovery.
Owowa is an add-on for IIS, which is itself software built to manage web server services that Microsoft describes as being made up of more than 30 independent modules.
Owowa is designed to get installed in IIS, and once installed looks for evidence that the IIS server it's on is responsible for exposing a business's Exchange server's OWA portal.
If its raw potential for undetected data theft isn't enough of a reason to watch out for Owowa, consider its raw potential to crash your Exchange or IIS servers as another reason to take the right precautions.
Check all IIS modules on exposed IIS servers regularly - especially if that IIS server deals with Exchange.
News URL
Related news
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (source)
- Microsoft admits GitHub hosted malware that infected almost a million devices (source)
- Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails (source)
- Microsoft: New RAT malware used for crypto theft, reconnaissance (source)
- Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets (source)
- Microsoft Exchange Online outage affects Outlook web users (source)
- Microsoft: Exchange Online bug mistakenly quarantines user emails (source)
- Microsoft Trust Signing service abused to code-sign malware (source)
- Microsoft Trusted Signing service abused to code-sign malware (source)
- New Android malware uses Microsoft’s .NET MAUI to evade detection (source)