OWA bug allows bypass of Microsoft Exchange Legal Hold feature
Last week, my fellow Microsoft MVPs Tony Redmond and Paul Cunningham — and others in the Microsoft Exchange community — wrote about an interesting little bug in Outlook Web App (OWA) that allows a bypass of legal hold on an individual’s mailbox in a delegated scenario.
What is Microsoft Exchange Litigation Hold and In-Place Hold?
Before I explain the bug, let me explain legal hold real briefly so you understand how serious this is. In a world where regulatory compliance is essential for most organizations, the key term for email administrators is “discovery.” Email data must be discoverable. How you accomplish that may vary but an archive solution with enterprise grade discovery tools is an admin’s friend when litigation comes up against your company due to a sexual harassment suit, or accusations of financial data or healthcare data and so forth being shared inappropriately. However, built right into Exchange, is a feature called “Legal Hold,” aka litigation hold or in-place hold depending on the version of Exchange. What this does is put an immediate block on a mailbox to ensure the user cannot permanently delete an email message once a lawsuit has arisen.
A recently-discovered bug in OWA allows a user to bypass Microsoft Exchange Legal Hold. (Image: Dreamstime)
As a scenario, Mr. Smutty is sending inappropriate emails to a co-worker using his work email. She obtains a lawyer who notifies HR that there is litigation against the company and their employee, Mr. Smutty. The HR person, after mumbling under her breath ‘not again,’ has the authority — provided via the Microsoft Exchange admin — to immediately place Mr. Smutty’s mailbox on legal hold. At this point no email can be deleted permanently. So, even if he becomes aware of the lawsuit and locates these inappropriate emails and deletes them (and they appear deleted to him) they still reside with the Deletions sub-folder of the Recoverable Items folder and hence are still discoverable through search.
Limitations of Legal Hold
Legal Hold sounds like a great tool. However, it has some blatant limitations. First off, Mr. Smutty, although an idiot for using his work email, deletes these messages well ahead of the litigation and therefore legal hold is of no value. So the only way to combat this is to keep his mailbox, in fact, all mailboxes on legal hold all the time. But with an on-premise Exchange environment that would involve quite a bit of bloat. How much easier to have an interactive, (users can search for and locate their own emails) but untouchable (ie. cannot delete email) archive solution as a means of preventative maintenance (users know their mail is retained) and easy discovery.
OWA bug allows bypass of Microsoft Exchange Legal Hold
There is, however, a reported bug with regard to legal hold, Outlook Web App and mailbox delegation. The scenario is outlined by Microsoft. Ultimately if you are using Exchange Server 2013 (including CU6) or Office 365 and you have two users where one user (User A) is on litigation hold but the other user (User B) is not, and you give User B delegation control over User A’s mailbox, than User B could go in through Outlook Web App (OWA) and delete folders (with mail in them) or move folders over and this circumvents the legal hold process. Now those items will be undiscoverable. Ultimately, according to Microsoft, “the items are preserved according to the hold settings of the delegate’s own mailbox, not the settings of the delegated mailbox.”
Ahem… uh… yikes!!! Talk about a lack of compliance. Microsoft’s initial response to address the matter is to either put all users on legal hold that are participating in delegated scenarios (so that both user A and B would be on legal hold) or disable OWA for users who have delegated access to their mailbox. Both approaches will work but neither is a true fix. No doubt Microsoft will work fast to resolve the matter. However, to me it highlights the need to look at a third-party enterprise grade archive solution to ensure compliance is met.
Microsoft has done an amazing job improving the built-in tools for compliance, but there are still occasions where bolt-on is needed to work in harmony with built-in. Granted, I’ll admit my viewpoint on the matter is somewhat skewed and not necessarily objective considering my work with Mimecast. However, I do believe, in this case, my viewpoint is spot on. In times past it wasn’t a problem to say Exchange needed third-party assistance in areas like backup and recovery, archive, monitoring, etc… and in spite of the recent “built-in, not bolt-on” mantra being pushed, I still believe both Exchange and Office 365 become even better for customers when the right bolt-on solutions are used to enhance what has already been provided.