This research serves to illustrate the potential impact of a new generation of hacking tools that escalate the impact of a compromised email address and password via the Outlook Web Access interface to full remote compromise of the corporate network.

The research suggests close to 0.5% of all organisations in the SecureData Labs study could be cracked using a combination of publically available email addresses from previous data breaches and poor password security behaviour by users, as they reuse passwords between professional and personal applications.

The researchers analysed 1.5million compromised email addresses from 173,000 individual organisations in the UK. SecureData Labs could crack 92% of passwords* where the compromise included the hashed, or one-way encrypted password. From this sample of organisations, 1,226 could be identified as using Outlook Web Access. Assuming some users were reusing the same password (or password ‘scheme’) between their private and work accounts**, as many as 868 organisations in the study are at immediate risk of simple, low-cost and sophisticated compromise of their network systems. Using the ratio of compromised organisations revealed in the research (0.5%), it suggests as many as 53,000 of the 10.5million .uk domain registrations in the UK could be similarly at risk.

With 1 billion newly breached email addresses exposed on the public web during 2016 (Source: haveibeenpwned.com), the SecureData Labs team has highlighted this attack vector as a sleeping dragon of corporate network security and a style of exploit which they expect to increase in prevalence.

Charl van der Walt, Head of Security Strategy at SecureData comments: “We developed this research as a vehicle to illustrate the increasing security challenge as employees mix their corporate and personal online universes. This is exacerbated by enterprise risk models that fail to appreciate how attackers view their business, reflecting instead their own view as to what is valuable.

“The prize here for the hacker is not just the email account itself, but the ability to write Outlook rules on the user’s desktop via OWA. Our “Ruler” toolset shows how we can turn an OWA password compromise into full and persistent remote access to the network, with potentially devastating effect,” van der Walt continues. “Microsoft Exchange has been considered a relatively benign element of corporate IT, but it’s becoming more popular and valuable as a target. In addition, Exchange is exposed onto the Internet via OWA and put more at risk via weak or leaked email passwords.  We wanted to highlight this simple exploit as a way to warn security managers not to under value what appear to be low-risk corporate assets.”

Email address compromise has become more common and is often the intention of large-scale hacks (Ashley Madison, LinkedIn, YouPorn, Adobe etc). With the increasing supply of compromised email addresses available to hackers, organisations should be vigilant about the potential impact of these leaks, for example via an escalation of phishing attacks or password reuse attacks.

Key stats: 

Research took place between October 22 and November 22, 2016

• Dataset 1 – breached email data: 
  • 1.5million compromised email address researched, from 173,000 UK domains (.uk only)
  • Scanning uncovered 1,226 OWA interfaces
  • 92% of passwords leaked could be cracked by SecureData Labs
  • 868 UK organisations, or 0.5% overall of UK organisations are at risk from this type of exploit (assuming 77% password prediction rate)
• Dataset 2 – Alexa Top Million: 
  • From the Alexa “Top Million” websites list, 15,653 have a .uk domain
  • Scanning identified 1,105 unique .uk domains within this dataset with exposed OWA servers (7%)
  • 712 of these OWA accounts were also present in the list of 173,000 organisations exposed in the breaches we studied in dataset 1
  • 92% of passwords leaked could be cracked by SecureData
  • This analysis suggests 504 .uk domains in the Alexa Top Million (3.2%) are potentially at risk to an OWA compromise

Key supporting information and industry sources: 

• * “SecureData Labs can crack 92% of passwords”, statement refers to SensePost’s research and is supported through previous analysis, for instance of 3,743,733 UK addresses compromised in the 2012 LinkedIn breach, 2,622,252 included hashed passwords. Of these the SecureData Labs team were able to crack 2,382,216 or 90.85%.
• ** “77% of passwords are reused by users”, statistic is referenced by Princeton University study, 2014 which suggested that most internet users have a universe of 25 online accounts. When asked to select a password for a new account, the study found 77% would either modify or reuse existing passwords.
• 123,621,620 compromised email address reported through haveibeenpwned.com
• 412,214,295 email addresses compromised in October 2016 reported by leakedsource.com
• UK domain registrations data source, https://en.wikipedia.org/wiki/.uk

About SecureData 

SecureData is a leading provider of cybersecurity services and solutions. 

SecureData looks beyond point technologies to address cybersecurity as a whole. The company offers a comprehensive set of professional and managed security services across the entire attack continuum.

For 25 years’ SecureData has been helping organisations assess risks, detect threats, protect assets and respond to breaches quickly and effectively ensuring essential IT infrastructure always remains secure and available.

SensePost, the consulting arm of SecureData includes some of the world’s most preeminent cybersecurity experts. Trusted by both corporate and military organisations across multiple countries, SensePost helps organisations to protect IT infrastructure and stay ahead of evolving cybersecurity threats.

Operating across the UK, South Africa and the USA, SecureData has an enviable track record having delivered cybersecurity services for many business sectors including finance, insurance, retail, property, professional services, technology and government.

For more information visit http://www.secdata.com