Screenshot from the Websense's Alert.
While this attack might not be very technical (we’ve seen these kinds of attacks for many years), I still think it is a brilliant attack. What makes the attack brilliant is that it does not use a generic fake page. WebSense Security Alert states that:
The malicious site is also very believable. The victim’s domain is used as a sub-domain to the site so that the attack site appears to be the victim’s actual OWA site. The victim’s domain name and email address are also used in a number of locations on the malicious site to make it that much more believable.
According to the above alert, the attack is fairly extensive with ’30,000 of these messages per hour’ and it is likely to slip through anti-virus filters.
With more companies making the switch from Desktop applications to web-based applications, I think we will see an increasing amount of attacks. Moreover, with simple techniques such as reading the identification string of the server (e.g. through IMAP), the attacker can customize the attack to suit the victims server. If it’s an Exchange server, the attacker can send the above page. If it’s a Zimbra server, the user can send a similar page, but based on the Zimbra design.
