Full Disclosure mailing list archives
Mr. Post - Outlook Add-in - Data Theft Risk
From: Jonathan Gregson via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 2 Mar 2022 23:47:18 +0000
Mr. Post is an Outlook add-in used for inspecting emails for threats. Its tagline states "One click to visualize email. Unveil scam, phishing, ransom and BEC (Business Email Compromise)." The add-in is featured prominently in the Outlook Add-in store, including those on iOS and Android. It’s possible that users in your org use this add-in. You can find it in Microsoft AppSource here: https://appsource.microsoft.com/en-US/product/office/wa104381359 ## Unsupported Add-In The add-in no longer appears to be supported as clicking the Mr. Post button opens a parked domain inside of Outlook, mr2020[.]tech. This domain is listed for sale for $899 USD. ## Data Theft Risk I have not used this add-in before the domain was parked, but I assume that clicking the Mr. Post button sends the currently open email to the parked domain. There is a significant risk that a threat actor will acquire this domain and collect user’s emails when they click the Mr. Post button. Presumably, the add-in only has access to emails which are open when the Mr. Post button is clicked, but Microsoft states that the add-in has access to "read or modify the contents of any item in your mailbox, and create new items. It can access personal information -- such as the body, subject, sender, recipients, or attachments -- in any message or calendar item." ## Suggested Mitigations * Make sure this add-in is not installed in for any users in your organization, and (if possible) block it so it cannot be installed. * Report the add-in to Microsoft. I reported it a week ago, but it is still online and installable. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Mr. Post - Outlook Add-in - Data Theft Risk Jonathan Gregson via Fulldisclosure (Mar 09)