SIGforum
Can ransomware infect an MS Exchange server by opening email on a phone?

This topic can be found at:
https://sigforum.com/eve/forums/a/tpc/f/320601935/m/3700022854

June 25, 2019, 09:07 AM
Oz_Shadow
Can ransomware infect an MS Exchange server by opening email on a phone?
This is just my personal research.

Can checking email on a phone connected to a MS Exchange server trigger ransomware and viruses on the actual MS Exchange Server?

I think it is 2013, located in house.

I suspect one person is opening every single email that comes in on the device.
June 25, 2019, 09:56 AM
smschulz
I don't see how unless the phone has the ability to control the server or DC or put files on those servers that can control it.
June 25, 2019, 09:58 AM
ensigmatic
quote:
Originally posted by smschulz:
I don't see how unless the phone has the ability to control the server or DC or put files on those servers that can control it.

This ^^^^^, I should think.

(N.B.: If anybody would know, smschulz would be the guy.)


"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
June 25, 2019, 10:02 AM
grumpy1
Assuming best security practices are followed on the server, which built in tools can help evaluate, and the user's credentials are not in the administrators group directly or through nested groups for the server/domain then I would think not. Advanced logging on the server should be able to help track it down.
June 25, 2019, 10:07 AM
architect
Is it possible? Of course.

Is it likely? IMO, not so much.

Consider what has to happen:

1) the phone's mailer fetches the mail message to on-phone storage, e.g. via IMAP.

2) the mailer on the phone displays the message to the phone user, and in the process of doing so executes the malware payload. The mailer on the phone has to be configured to allow automatic execution of embedded content, java, scripts, etc. The payload must be written in code that the phone and its OS can run, and that code must have sufficient function to perform the necessary operations. HTML, for one, does not have the required operators.

3) The executed payload must write to the file system on the mail server (or some other file server), "infecting" the server, or encrypting files on the server's disk. This means some server connection other than mail must be present to allow the phone to access a network file system, there is no "auto-writeback" in the mail protocol itself.

Doing this seems to present a high enough degree of difficulty, and low enough chance of success that few would attempt this path of compromise.