#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Hacking Microsoft Office Outlook | Breaking Cybersecurity News | The Hacker News

Microsoft Pays $13,000 to Hacker for Finding Authentication Flaw

Microsoft Pays $13,000 to Hacker for Finding Authentication Flaw

Apr 04, 2016
A security researcher has won $13,000 bounty from Microsoft for finding a critical flaw in its main authentication system that could allow hackers to gain access to a user's Outlook, Azure and Office accounts. The vulnerability has been uncovered by UK-based security consultant Jack Whitton and is similar to Microsoft's OAuth CSRF (Cross-Site Request Forgery) in Live.com discovered by Synack security researcher Wesley Wineberg. However, the main and only difference between the vulnerabilities is that: Flaw discovered by Wineberg affected Microsoft's OAuth protection mechanism while the one discovered by Whitton affected Microsoft's main authentication system. Microsoft handles authentication across its online services including Outlook, Azure and Office through requests made to login.live.com, login.windows.net, and login.microsoftonline.com. Now, for example, if a user browses to outlook.office.com, he/she redirects to a login.microsoftonline
Microsoft will Inform You If Government is Spying on You

Microsoft will Inform You If Government is Spying on You

Dec 31, 2016
Following in the footsteps of Twitter, Facebook and Google, Microsoft promises to notify users of its e-mail ( Outlook ) and cloud storage ( OneDrive ) services if government hackers may have targeted their accounts. The company already notifies users if an unauthorized person tries to access their Outlook or OneDrive accounts. But from now on, the company will also inform if it suspects government-sponsored hackers. Ex-Employee: Microsoft Didn't Notify When China Spied Tibetans Leaders The move could be taken in the wake of the claims made by Microsoft's former employees that several years ago Chinese government hacked into more than a thousand Hotmail email accounts of international leaders of Tibetan and Uighur minorities , but the company decided not to tell the victims, allowing the hackers to continue their campaign. Instead of alerting those leaders of the hacking attempts, Microsoft simply recommended them to change their passwords without disclosi
SaaS Compliance through the NIST Cybersecurity Framework

SaaS Compliance through the NIST Cybersecurity Framework

Feb 20, 2024Cybersecurity Framework / SaaS Security
The US National Institute of Standards and Technology (NIST) cybersecurity framework is one of the world's most important guidelines for securing networks. It can be applied to any number of applications, including SaaS.  One of the challenges facing those tasked with securing SaaS applications is the different settings found in each application. It makes it difficult to develop a configuration policy that will apply to an HR app that manages employees, a marketing app that manages content, and an R&D app that manages software versions, all while aligning with NIST compliance standards.  However, there are several settings that can be applied to nearly every app in the SaaS stack. In this article, we'll explore some universal configurations, explain why they are important, and guide you in setting them in a way that improves your SaaS apps' security posture.  Start with Admins Role-based access control (RBAC) is a key to NIST adherence and should be applied to every SaaS a
New Attack Targeting Microsoft Outlook Web App (OWA) to Steal Email Passwords

New Attack Targeting Microsoft Outlook Web App (OWA) to Steal Email Passwords

Oct 06, 2015
Researchers have unearthed a dangerous backdoor in Microsoft's Outlook Web Application (OWA) that has allowed hackers to steal e-mail authentication credentials from major organizations. The Microsoft Outlook Web Application or OWA is an Internet-facing webmail server that is being deployed in private companies and organisations to provide internal emailing capabilities. Researchers from security vendor Cybereason discovered a suspicious DLL file loaded into the company's OWA server that siphoned decrypted HTTPS server requests. Although the file had the same name as another benign DLL file, the suspicious DLL file was unsigned and loaded from another directory. Hackers Placed Malicious DLL on OWA Server According to the security firm, the attacker replaced the OWAAUTH.dll file ( used by OWA as part of the authentication mechanism ) with one that contained a dangerous backdoor. Since it ran on the OWA server, the backdoored DLL file allowed hacker
cyber security

Are You Vulnerable to Third-Party Breaches Through Interconnected SaaS Apps?

websiteWing SecuritySaaS Security / Risk Management
Protect against cascading risks by identifying and mitigating app2app and third-party SaaS vulnerabilities.
Cybersecurity Resources