Mr. Post - Outlook Add-in - Data Theft Risk

[Jonathan Gregson via Fulldisclosure <fulldisclosure () seclists org>]

Mr. Post is an Outlook add-in used for inspecting emails for threats. Its tagline states "One click to visualize email. 
Unveil scam, phishing, ransom and BEC (Business Email Compromise)." The add-in is featured prominently in the Outlook 
Add-in store, including those on iOS and Android. It’s possible that users in your org use this add-in. You can find it 
in Microsoft AppSource here: https://appsource.microsoft.com/en-US/product/office/wa104381359

## Unsupported Add-In
The add-in no longer appears to be supported as clicking the Mr. Post button opens a parked domain inside of Outlook, 
mr2020[.]tech. This domain is listed for sale for $899 USD.

## Data Theft Risk
I have not used this add-in before the domain was parked, but I assume that clicking the Mr. Post button sends the 
currently open email to the parked domain. There is a significant risk that a threat actor will acquire this domain and 
collect user’s emails when they click the Mr. Post button. Presumably, the add-in only has access to emails which are 
open when the Mr. Post button is clicked, but Microsoft states that the add-in has access to "read or modify the 
contents of any item in your mailbox, and create new items. It can access personal information -- such as the body, 
subject, sender, recipients, or attachments -- in any message or calendar item."

## Suggested Mitigations

  *   Make sure this add-in is not installed in for any users in your organization, and (if possible) block it so it 
cannot be installed.
  *   Report the add-in to Microsoft. I reported it a week ago, but it is still online and installable.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/