Microsoft Teams and Skype for Business News and Thoughts

Tom Arbuthnot MVP
Tom Arbuthnot MCSM Communications

This site uses cookies

Find this blog useful? Please take a second to share, thanks!

Exchange UM Toll Fraud Risk, Don’t Weaken Your PIN Settings

Published 18/01/2016 - 2 Comments

Exchange Unified Messaging is the voicemail platform common to most Lync/Skype for Business installs but also supports PBX systems. We’ve recently seen a new toll fraud attack targeting Exchange UM’s to relay calls and either bypass call charges or run up charges on premium rate numbers.

The attack relies on guessing or otherwise compromising users PINs.

  • The attacker then calls the compromised users DDI, presenting their calling party number as the number they want to call, +4444 (most likely spoofing the calling party number),
  • Leaves a short, usually empty, voicemail.
  • They then call DDI again, and presses * on the voicemail and enters the users PIN. From here they can listen to the voicemails, and critically Exchange UM allows users “call back” people who left voicemails, allowing the attacker to bridge their current, usually local rate call, to the voicemail calling party (+4444).

By leaving a voicemail from a spoofed premium rate number (+4444 in our example), the attacker can then rack up charges to that number, or have a low cost call to some international number/mobile.

By default Exchange UM pins 6 digits, random, don’t allow common patterns, and lock out after 5 incorrect attempts.  Unfortunately some people set these to less secure 4 digits or to allow common patterns (like the last X digits of the phone number, or setting all user Pins to the same number). It’s unclear if the Pins are being guessed or war dialed, but since the default attempts before lockout is 5, it seems more likely they are being guessed/leaked/social engineered somehow.

Standard advice is to keep these Pins at least 6 digits or higher and complex, keep the lock out feature and consider limiting the call back feature dial plan to only allow Internal extensions or regional/national numbers as appropriate for your organisation. You could even disable this feature for users that don’t use it (doesn’t everyone listen to voicemail in their email these days? :-)

Tobie Fysh has a great write up of the attack and mitigations here, check it out.

Tom Arbuthnot

Tom Arbuthnot

Principal Solutions Architect at Modality Systems
Tom Arbuthnot is Principal Solutions Architect at Unified Communications specialist Modality Systems. He is a Microsoft Certified Master and MVP, blogger, regular on The UC Architects Podcast, and speaker at events including Microsoft TechEd and Ignite. He co-runs The Microsoft UC User Group London.


shawn - 14/02/2016 Reply

Isn’t the likelihood of a such an attack pretty low, as dialing rule restrictions by default don’t allow UM to place any call? Usually you wouldn’t allow international calls either from UM. Regardless all the more reason to encourage proper use of dialing rule restrictions in UM to prevent toll fraud.

    Tom Arbuthnot - 14/02/2016 Reply

    It’s hard to say how likely an attack is, but we’ve definitely seen it in the wild. Agree with you re outbound dialing rules from Exchange

Leave a Reply:


Weekly Email Update 
of all the key 
Microsoft Teams and Skype for Business News
every Tuesday

No Spam ever, I promise - Tom