[zxcmx]

I think this is an amazing bug for "practical" attackers. Not quite an MS08-067 ... but also sort of better?

For lots of SMBs their OWA (plus maybe a VPN server and a web site hosted elsewhere) is their only online presence.

With this, you phish or stuff one set of user creds and now you have all their mail spools (plus all third party accounts linked to those emails) and are in a great place to pivot to domain admin.

Probably small accounting firms will be worst hit but also countless other small manufacturing and services firms.

[dboreham]

The small accounting firm we use never sends sensitive information (e.g. tax forms, spreadsheets) in email.

[stevekemp]

I'm currently going through a process like this with a lawyer in a foreign country; they wanted me to provide banking details, proof of identity and address.

Most of the details I could supply by email but they were so worried that the emails could/would be modified that a lot of this had to be done via snail-mail, and phone-calls where I read out my banking details.

On the one hand very understandable, but on the other very frustrating.