\n
![](\"https:\/\/www.csoonline.com\/wp-content\/uploads\/2025\/05\/3985986-0-19007200-1747329868-spot_cloud_3x2_05_cw_email_cloud_migration_distributio_by_oatawa_shutterstock_1715370262_royalty-free_digital-only_b-100891927-orig-100943878-orig.jpg?quality=50&strip=all\")
<\/p>\n
\n<\/p>\n
\u201cOver the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups such as Sednit, GreenCube, and Winter Vivern,\u201d said ESET\u2019s Faou. \u201cBecause many organizations don\u2019t keep their webmail servers up to date, and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft.\u201d<\/p>\n
The most important thing for CISOs is to keep the webmail applications up to date, he said. \u201cWhile we do mention in our research the use of zero-day vulnerabilities, in most of the incidents we analyzed, only known vulnerabilities, which had been patched for months, were used. Another hardening avenue, but probably too extreme for most organizations, is to forbid HTML content in emails, and just display raw text. However, this would prevent the use some functionalities such as text formatting (bold, italic, etc.) or the inclusion of hyperlinks.\u201d<\/p>\n
Webmail can be described as a website that displays untrusted HTML content in a browser, he said. While most webmail systems sanitize the content to remove harmful HTML elements, which could execute JavaScript code, ESET\u2019s research shows that the sanitizers are not without flaws and that attackers are able to bypass them. As a result, he said, by sending a specially crafted email, attackers are able to execute arbitrary JavaScript code in the context of their target\u2019s browser.\u00a0While this doesn\u2019t lead to the compromise of the computer, he pointed out, executing JavaScript code in the context of the browser enables to steal information from the mailbox, for example, emails or the list of contacts.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"
\u201cOver the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups such as Sednit, GreenCube, and Winter Vivern,\u201d said ESET\u2019s Faou. \u201cBecause many organizations don\u2019t keep their webmail servers up to date, and because the vulnerabilities can be triggered remotely by sending an email message, […]<\/p>","protected":false},"author":3,"featured_media":5519,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-5518","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-blog"},"_links":{"self":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts\/5518","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/comments?post=5518"}],"version-history":[{"count":0,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts\/5518\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/media\/5519"}],"wp:attachment":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/media?parent=5518"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/categories?post=5518"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/tags?post=5518"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}