Exchange Server

OWA bug allows bypass of Microsoft Exchange Legal Hold feature

Last week, my fellow Microsoft MVPs Tony Redmond and Paul Cunningham — and others in the Microsoft Exchange community — wrote about an interesting little bug in Outlook Web App (OWA) that allows a bypass of legal hold on an individual’s mailbox in a delegated scenario.

What is Microsoft Exchange Litigation Hold and In-Place Hold?

Before I explain the bug, let me explain legal hold real briefly so you understand how serious this is. In a world where regulatory compliance is essential for most organizations, the key term for email administrators is “discovery.” Email data must be discoverable. How you accomplish that may vary but an archive solution with enterprise grade discovery tools is an admin’s friend when litigation comes up against your company due to a sexual harassment suit, or accusations of financial data or healthcare data and so forth being shared inappropriately. However, built right into Exchange, is a feature called “Legal Hold,” aka litigation hold or in-place hold depending on the version of Exchange. What this does is put an immediate block on a mailbox to ensure the user cannot permanently delete an email message once a lawsuit has arisen.

An newly-discovered OWA bug allows a user to bypass Microsoft Exchange Legal Hold

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts.

A recently-discovered bug in OWA allows a user to bypass Microsoft Exchange Legal Hold. (Image: Dreamstime)

As a scenario, Mr. Smutty is sending inappropriate emails to a co-worker using his work email. She obtains a lawyer who notifies HR that there is litigation against the company and their employee, Mr. Smutty. The HR person, after mumbling under her breath ‘not again,’ has the authority — provided via the Microsoft Exchange admin — to immediately place Mr. Smutty’s mailbox on legal hold. At this point no email can be deleted permanently. So, even if he becomes aware of the lawsuit and locates these inappropriate emails and deletes them (and they appear deleted to him) they still reside with the Deletions sub-folder of the Recoverable Items folder and hence are still discoverable through search.

Limitations of Legal Hold

Legal Hold sounds like a great tool. However, it has some blatant limitations. First off, Mr. Smutty, although an idiot for using his work email, deletes these messages well ahead of the litigation and therefore legal hold is of no value. So the only way to combat this is to keep his mailbox, in fact, all mailboxes on legal hold all the time. But with an on-premise Exchange environment that would involve quite a bit of bloat. How much easier to have an interactive, (users can search for and locate their own emails) but untouchable (ie. cannot delete email) archive solution as a means of preventative maintenance (users know their mail is retained) and easy discovery.

OWA bug allows bypass of Microsoft Exchange Legal Hold

There is, however, a reported bug with regard to legal hold, Outlook Web App and mailbox delegation. The scenario is outlined by Microsoft. Ultimately if you are using Exchange Server 2013 (including CU6) or Office 365 and you have two users where one user (User A) is on litigation hold but the other user (User B) is not, and you give User B delegation control over User A’s mailbox, than User B could go in through Outlook Web App (OWA) and delete folders (with mail in them) or move folders over and this circumvents the legal hold process. Now those items will be undiscoverable.  Ultimately, according to Microsoft, “the items are preserved according to the hold settings of the delegate’s own mailbox, not the settings of the delegated mailbox.”

Ahem… uh… yikes!!!  Talk about a lack of compliance. Microsoft’s initial response to address the matter is to either put all users on legal hold that are participating in delegated scenarios (so that both user A and B would be on legal hold) or disable OWA for users who have delegated access to their mailbox. Both approaches will work but neither is a true fix.  No doubt Microsoft will work fast to resolve the matter. However, to me it highlights the need to look at a third-party enterprise grade archive solution to ensure compliance is met.

Microsoft has done an amazing job improving the built-in tools for compliance, but there are still occasions where bolt-on is needed to work in harmony with built-in. Granted, I’ll admit my viewpoint on the matter is somewhat skewed and not necessarily objective considering my work with Mimecast. However, I do believe, in this case, my viewpoint is spot on. In times past it wasn’t a problem to say Exchange needed third-party assistance in areas like backup and recovery, archive, monitoring, etc… and in spite of the recent “built-in, not bolt-on” mantra being pushed, I still believe both Exchange and Office 365 become even better for customers when the right bolt-on solutions are used to enhance what has already been provided.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Office 365 Coexistence for Mergers & Acquisitions: Don’t Panic! Make it SimpleLive Webinar on Tuesday, November 16, 2021 @ 1 pm ET

In this session, Microsoft MVPs Steve Goodman and Mike Weaver, and tenant migration expert Rich Dean, will cover the four most common steps toward Office 365 coexistence and explain the simplest route to project success.

  • Directory Sync/GAL Sync – How to prepare for access and awareness
  • Calendar Sharing – How to retrieve a user’s shared calendar, or a room’s free time
  • Email Routing – How to guarantee email is routed to the active mailbox before and after migration
  • Domain Sharing – How to accommodate both original and new SMTP domains at every stage

Aimed at IT Admins, Infrastructure Engineers and Project Managers, this session outlines both technical and project management considerations – giving you a great head start when faced with a tenant migration.the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

Sponsored by: