lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Mar 2022 23:47:18 +0000 From: Jonathan Gregson via Fulldisclosure <fulldisclosure@...lists.org> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Mr. Post - Outlook Add-in - Data Theft Risk Mr. Post is an Outlook add-in used for inspecting emails for threats. Its tagline states "One click to visualize email. Unveil scam, phishing, ransom and BEC (Business Email Compromise)." The add-in is featured prominently in the Outlook Add-in store, including those on iOS and Android. It’s possible that users in your org use this add-in. You can find it in Microsoft AppSource here: https://appsource.microsoft.com/en-US/product/office/wa104381359 ## Unsupported Add-In The add-in no longer appears to be supported as clicking the Mr. Post button opens a parked domain inside of Outlook, mr2020[.]tech. This domain is listed for sale for $899 USD. ## Data Theft Risk I have not used this add-in before the domain was parked, but I assume that clicking the Mr. Post button sends the currently open email to the parked domain. There is a significant risk that a threat actor will acquire this domain and collect user’s emails when they click the Mr. Post button. Presumably, the add-in only has access to emails which are open when the Mr. Post button is clicked, but Microsoft states that the add-in has access to "read or modify the contents of any item in your mailbox, and create new items. It can access personal information -- such as the body, subject, sender, recipients, or attachments -- in any message or calendar item." ## Suggested Mitigations * Make sure this add-in is not installed in for any users in your organization, and (if possible) block it so it cannot be installed. * Report the add-in to Microsoft. I reported it a week ago, but it is still online and installable. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists