@momurda said in OWA is vulnerable to Phishing:
Quick question; How would you go about getting your phishing page to OWA users at a company you were targeting? send them an email with a subject like 'click here to login to your company webmail"? with a link to the fake owa site? They would already have their email open. I suppose it could happen that way, these are users we're talking about.
In the Eternal War on Spam/Malware, what can be done?
I've told users they have to change their webmail password. If they fail I explain to them they don't have a special login for webmail and they will get an official email, not a generic change you password one.