Chris Avants

Send on behalf of?

Today while working with a friend of mine we identified what we believed is a vulnerability with Microsoft Exchange.  Here’s the scenario, let me know what you think below:)

This morning I was expecting a meeting invite to join a session, and after our scheduled meeting time had come and gone I grabbed the last meeting invite and forwarded that to the host I was expecting the new invite from and when he received it showed that he had e-mailed himself the invite with the message I had written?

In the above message Exchange shows forwarding this message as “On behalf of” which should only be possible with assigned permissions even in your own organization, let alone a completely different organization with no domain trusts configured between the two.

Below is what the message looks like when it’s received via GMAIL account, showing as from ONLY the original sender, not myself as the forwarder:)

If you expand the message again, very little indication it’s not from the original sender although if you look closely you can see via — our domain on Exchange. Again ZERO trusts were set up in order to get these permissions.

We reported this issue via the Microsoft Bug bounty program as we believe this is a major vulnerability. Having a very easy ability to impersonate anyone who sends you a meeting invite by forwarding it could allow malicious code introduction or be used with any number of Social Engineering campaigns.

When your able to forward messages “On Behalf of” implies trust that the sender is operating with permission on behalf of that user.

Microsoft has said they “reported the issue to the appropriate team, but didn’t meet their criteria for a vulnerability”. What do you think, bug, vulnerability, what definition do you use for this?

Let me know your thoughts, below.

Leave a Comment