[FD] Mr. Post - Outlook Add-in - Data Theft Risk

[Jonathan Gregson via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>]

Mr. Post is an Outlook add-in used for inspecting emails for threats. Its 
tagline states "One click to visualize email. Unveil scam, phishing, ransom and 
BEC (Business Email Compromise)." The add-in is featured prominently in the 
Outlook Add-in store, including those on iOS and Android. It’s possible that 
users in your org use this add-in. You can find it in Microsoft AppSource here: 
https://appsource.microsoft.com/en-US/product/office/wa104381359

## Unsupported Add-In
The add-in no longer appears to be supported as clicking the Mr. Post button 
opens a parked domain inside of Outlook, mr2020[.]tech. This domain is listed 
for sale for $899 USD.

## Data Theft Risk
I have not used this add-in before the domain was parked, but I assume that 
clicking the Mr. Post button sends the currently open email to the parked 
domain. There is a significant risk that a threat actor will acquire this 
domain and collect user’s emails when they click the Mr. Post button. 
Presumably, the add-in only has access to emails which are open when the Mr. 
Post button is clicked, but Microsoft states that the add-in has access to 
"read or modify the contents of any item in your mailbox, and create new items. 
It can access personal information -- such as the body, subject, sender, 
recipients, or attachments -- in any message or calendar item."

## Suggested Mitigations

  *   Make sure this add-in is not installed in for any users in your 
organization, and (if possible) block it so it cannot be installed.
  *   Report the add-in to Microsoft. I reported it a week ago, but it is still 
online and installable.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/