lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <SJ0PR22MB328106F04A72F5620136E1E0A2039@SJ0PR22MB3281.namprd22.prod.outlook.com>
Date: Wed, 2 Mar 2022 23:47:18 +0000
From: Jonathan Gregson via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Mr. Post - Outlook Add-in - Data Theft Risk

Mr. Post is an Outlook add-in used for inspecting emails for threats. Its tagline states "One click to visualize email. Unveil scam, phishing, ransom and BEC (Business Email Compromise)." The add-in is featured prominently in the Outlook Add-in store, including those on iOS and Android. It’s possible that users in your org use this add-in. You can find it in Microsoft AppSource here: https://appsource.microsoft.com/en-US/product/office/wa104381359

## Unsupported Add-In
The add-in no longer appears to be supported as clicking the Mr. Post button opens a parked domain inside of Outlook, mr2020[.]tech. This domain is listed for sale for $899 USD.

## Data Theft Risk
I have not used this add-in before the domain was parked, but I assume that clicking the Mr. Post button sends the currently open email to the parked domain. There is a significant risk that a threat actor will acquire this domain and collect user’s emails when they click the Mr. Post button. Presumably, the add-in only has access to emails which are open when the Mr. Post button is clicked, but Microsoft states that the add-in has access to "read or modify the contents of any item in your mailbox, and create new items. It can access personal information -- such as the body, subject, sender, recipients, or attachments -- in any message or calendar item."

## Suggested Mitigations

  *   Make sure this add-in is not installed in for any users in your organization, and (if possible) block it so it cannot be installed.
  *   Report the add-in to Microsoft. I reported it a week ago, but it is still online and installable.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ