NorthSec 2025 - Matthieu Faou - Cyberespionage tactics in webmail exploitation

Cross-site scripting (XSS) vulnerabilities allow attackers to inject malicious script code into legitimate web pages. Identifying XSS vulnerabilities is a typical pentesting exercise, as they are commonly found in web applications that use user-provided, including attacker-controlled, data as output. The theory is well understood, but what do real-world attacks look like?

Our research team at ESET has spent the last two years investigating the exploitation of XSS vulnerabilities in webmail portals. These portals are particularly vulnerable: their main purpose is to display untrusted HTML content, in the form of email messages, in the context of their web applications, which run in their users’ web browsers. During our research, we discovered two zero-day vulnerabilities, one each in Roundcube and MDaemon, and identified the use of multiple N-day vulnerabilities in Roundcube, Zimbra, and Horde.

Our presentation showcases the webmail vulnerabilities we uncovered, and provides a detailed analysis of the exploits and JavaScript payloads used by three cyberespionage groups: Russia-aligned Sednit and GreenCube, and Belarus-aligned Winter Vivern. We demonstrate how these groups leveraged XSS vulnerabilities to steal email messages from government officials and other high-value targets.