none
OWA Passthrough Authentication? (Enter username and password on random page, be authenticated with your OWA) RRS feed

  • Question

  • Hi all,

    I recently spotted a phishing attack that was stealing user credentials. It looked like an OWA login page and when users entered their username/password they were logged in to their proper OWA - the 'phish' was at www.phishydomain.com/owa and when the user entered their password they were directed to www.myactualserver/owa and logged in - so to them unless they noticed the URL on the dodgy login page it all seemed fine

    My question is, how does this work? Has OWA got some mechanism for taking pass through auth? I can't see how the server could authenticate via forms-based auth and then pass the session back to the client, it would have to instruct the client somehow? Any ideas?

    I'm wondering how I can prevent this kind of phish in future

    Cheers,

    HC

    Friday, May 24, 2013 9:57 PM

All replies

  • I don't understand how this could work, but you may be able to work something out if you know about cookies. As you probably know OWA's FBA auth scheme is cookie based. The FBA form accepts the user input (user name and password) and POSTs it to a dll on the server, which then responds with a cookie which the client sends along with each request. A phishing site could certainly do the POSTing bit after the user had typed in their credentials, and could certainly do the redirect, but I don't understand how it could set the cookie, since they don't work across sites, and I don't believe you can specify the host name when you create one (since that would obviously be rather dangerous).

    Is www.phishydomain.com/owa still up and running? This would be an interesting problem to solve.


    blog.leederbyshire.com

    Tuesday, May 28, 2013 11:50 AM