Microsoft Patches Office 365 Flaw That Exposed Files And Emails On Federated Accounts

Microsoft has patched a vulnerability in Office 365 that could have allowed an attacker to gain access to any account at a business with a federated domain.

Researchers Yiannis Kakavas, of the Greek Research and Technology Network, and Klemen Bratec of the Sola prihodnosti Maribor discovered the flaw, but say there is no evidence it has been exploited in the wild and that Microsoft “mitigated” the threat within seven hours of notification.

However the group of companies that use federated domains includes some of the biggest names in technology, such as IBM, Cisco, BT, Vodafone and Microsoft itself, and high profile firms like British Airways, PwC and KPMG.

Office 365 flaw

“The attack surface was quite big (Outlook Online, OneDrive, Skype for Business, OneNote – depending on what the company has paid for in terms of licensing ),” the researchers told Kaspersky’s Threatpost. “And a malicious user exploiting this vulnerability could have gained access to very sensitive private and company information. (emails, internal documents etc. ).”

The flaw is present in the way that the cloud-based office suite handles Security Assertion Markup Language (SAML) – a standard used to exchange authentication and authorisation data. SAML is mainly used for cross domain web single sign on (SSO).

In the technical details of the flaw published by the researchers, they say that the implementation of SAML in Office365 fails to authenticate the subject of the assertion being passed, meaning that the service relies on other values without properly checks.

Wide-ranging vulnerability

The researchers said they were also able to carry out an attack suing Active Directory Federation Services (ADFS). Sola prihodnosti Maribor itself uses Office 365 with ADFS so this was easy to test.

Given it is possible to devise a method of identifying companies using federated domains and the relative ease at which the vulnerability can be exploited, the researchers claim the implications could have been massive. There is no evidence of any exploits in the wild however.

“All an attacker needed was a trial subscription to Office 365 and a SAML 2.0 Identity Provider installation,” said the researchers. “There is some bare minimum of SAML knowledge one must have, but the process of setting up SAML SSO with Office 365 is well documented and easy to follow.

“A more advanced attacker with slightly better SAML knowledge would be able to script a tool and perform the attack in an automated manner without the need of a SAML 2.0 Identity Provider.”

Kakvas and Bratec say that Microsoft acted “admirably” when the flaw was reported and that they had been rewarded as part of the Online Service bug bounty programme.

TechWeekEurope has contacted Microsoft for comment.

Quiz: What do you know about Microsoft Office?

Microsoft Office 2016

Image 1 of 26

Microsoft Word - Across Devices

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago