Office365 for EDU/Business - impersonate & mislead with group alias

[QuoVadis]

Short description: Considering some of the recent changes brought by Microsoft to the Office365 platform, in particular the "groups" functionality within the emailing system, a user with standard/minimal privileges who is member of an organisation (that has an Office365 EDU/Business license) can create a distribution/mailing list with chosen members and assign an alias to it that can be used for fraudulent/SE/scam/phising purposes. It may be that it is possible for admins to disable such use but so far I have been unable to find one, nor did I find any information about this on the internet. If you do, feel free to share.

PoC: Student "Joe Bloggs" is enrolled at Oxford University. The institution uses Office365 for emails. Their website is University of Oxford and their staff and student email addresses are usually username@ox.ac.uk. Joe is able to log in to his Office365 email account, create a distribution(mailing) list and provide an alias for it (must not collude with existing aliases) something like finance.department@ox.ac.uk. Within that group he can add one member with their personal email address: for example joe.bloggs@gmail.com. Thus, all emails sent to finance.department@ox.ac.uk will end up in joe.bloggs@gmail.com. Although emails cannot be sent from this address, it can be used in various ways (depending on how creative you get with it) to help with SE/impersonation/spam/phising/etc.

Downside: Student "Joe Bloggs" most likely agrees to a certain IT code of conduct/ AUP / etc and is likely to be dismissed or prosecuted. In other words he cannot cover his tracks.

Upside: However, if an attacker gets hold of such an account using various methods, things can turn nasty for the organisation in question.

Steps for setting it up:

1. Log in to the Office365 web client

2. On the right hand side click on "Settings" and then "Options"

3. If it displays the newer view, select "Other" from the left hand side

4. Choose the "Go to the earlier version"

5. Select "Groups" from the left hand side

6. On the right hand side look at "distribution groups I own".

7. Click on the + to create a new one and set up the display name, alias and email address accordingly. Finally add the members that you wish

Voilà!