Reading time:
7 min

Is Your Biggest Office 365 Threat a Little Old iPhone? CoreView’s Got You Covered!


Update Users’ iPhone or Move Off IOS Mail NOW to Protect O365 Tenant


Often the biggest security threat is a vulnerability that has been around for a while, but never fully closed. Just as often, the flaw is patched – but not all install the fix. Knowing this, cybercriminals have a field day exploiting this very vulnerability, using the patch itself as an attack blueprint.

Every iPhone made in the last 8 years – all 900 million of them – had a longstanding flaw that allowed for remote execution of malware and ransomware. This is not just a security problem for the phone itself – if that phone is connected to an O365 tenant, say through their iOS Mail App, those attacks can spread through the O365 environment in a flash.

In the case of O365, the native IOS mail client when used with Exchange has a vulnerability that allows this remote execution of code directly from an email message, and against your Microsoft environment. What is particularly concerning is the remote execution can occur — whether or not the message is read or not.

There is even worse news. “The malware spreads by forwarding email messages. So it spreads horizontally throughout the organization. It’s not just taking out your iPhone, it’s spread horizontally through email,” said Matt Smith, CoreView solution architect.

Before news of this vulnerability spread widely, there were no actual attacks in the wild. That all changed with increased publicity this spring, and now there are active and growing exploits.

Failure to Update

While Apple finally released a fix for this years old flaw in June in the form of the updated iOS 13.5, the update does not work unless it is installed. While Apple does rolling updates to iPhones, users too often put them off.

Your O365 shop is not safe unless each and every iPhone user updates their device – or switches to a Microsoft email solution for their phone. Meanwhile, there is no patch for older versions of iOS so updating the OS or getting off the iOS Mail App are the only answers.

The flaw raised alarms in Germany, leading Germany’s Federal Office for Information Security (BSI) to release a statement calling for users to remove the iOS Mail app. “The BSI assesses these vulnerabilities as particularly critical. It enables the attackers to manipulate large parts of the mail communication on the affected devices. Furthermore, there is currently no patch available. This means that thousands of iPhones and iPads are at acute risk from private individuals, companies and government agencies,” said BSI President Arne Schönbohm.

Microsoft Wants You to Move off the IOS Mail App Anyhow

Microsoft is concerned with email-borne attacks, and is ‘depreciating’ legacy email tools, and their authentication and protocols believing them unsafe.

In the case of the iOS Mail App, it uses the legacy authentication protocol called EAS or Exchange Active Sync. “That mail client is problematic in a couple of ways. The fix is either you update your iPhone to version 13.5 or later, or you replace the mail client with Outlook for iPhone. Outlook for iPhone is the path going forward because that also takes care of one of the legacy authentication problems – which is why Microsoft is depreciating that protocol in Q3 of next year,” said CoreView’s Smith.

What the IOS Flaws Means for O365 – and How to Fix it

The iOS Mail application is used by millions of users for O365 Exchange Online and other mail applications. As mentioned, for O365 iOS Mail leverages the Exchange Active Sync (EAS) mail protocol to retrieve messages.

Meanwhile, Microsoft wants all O365 shops to ease away from legacy mail solutions to newer, safer systems and protocols. The real fix for the iOS flaw and long-term O365 safety is to replace the native Apple Mail client with Microsoft’s Outlook for iOS.

What CoreView Customers Can Do Now – Step One

CoreView can deal with this iOS flaw, and other device patch and update issues, through our deep device management. In the case of IOS, CoreView customers should search in Analyze | Device Reports | Mobile Devices to identify customers with iOS < 13.5.1 and who are using the EAS protocol.  Be aware that other significant issues exist for iOS 11, 11.4, and 12.4. Then use CoreAdoption to communicate with users and deliver instructions on switching the default mail client to Outlook.  Sample information here: and here:

How CoreView Automates the Fix with Workflow – Step Two

The approach to fixing IOS and other device issues can be automated through CoreView workflows, and CoreView admins can create a workflow to identify iPhones with the older OS, or still using the IOS Mail App, and update IOS or move users off the IOS Mail App.

Knowing that iOS MailDemon attacks are in the wild with millions of non-updated iPhones and countless folks using the iOS Mail App, CoreView co-founder David Mascarella rushed out a KPI to identify and delineate the issue, and an automated workflow that solves the problem tout de suite.

“I created a policy that identifies the devices affected by this vulnerability. We also have the explanation that describes the vulnerability and the effect that the vulnerability can have. If we select the policy that dives into the data, the system will automatically target the users that are affected. We do that by targeting all users with mobile devices, with the operating system equal to iOS, with the versions that do not include 13.5,” Mascarella explained.

The KPI and workflow then suggests management actions an operator can perform in order to disassociate these mobile devices from the tenant, and also run a workflow. “When you run the workflow, the system automatically targets all of the affected users, and sends an email — there is a description of the problem CoreView detected, that you are accessing your email with an unsafe client. You have to update your mobile device. To learn how to update your mobile device operative system, please look at this video. There is a link to a helpful video that shows how to update the device,” Mascarella said.

The workflow offers several ways to remediate the iOS problem. We mentioned sending an email advising an end user to update iOS or switch off the iOS Mail App. It can also remove the device.

Finally, the workflow can automatically enforce an iOS security policy. IT can have a report showing which devices are still not secure, and run the report, say, every Friday. If the report is empty, there is no problem. “Every Friday the system will check if we still have a user will has not updated their device. Then the system will engage the user and alert them to update their system. You can also make these workflows more active, and run these workflows every day. You can also deactivate the mobile device, and remove the mobile devices and the email client,” Mascarella said.

How to Collect Rich Device Data

If you care about the security of devices accessing your O365 tenant, it is best to do device joins or registration for Azure Active Directory so the directory knows these devices exist, and understands their profile. That is a prerequisite for making that data available, and for CoreView to report on those devices. “That’s going to unlock a whole host of reporting for things like legacy authentication, and other problems coming down the pipe,” CoreView’s Smith noted.

Find Out How CoreView Helps Secure iPhones and Get Your Workflow Fix

See how CoreView can solve your IOS worries with a demo of CoreFlow workflow. For current customers, reach out to your customer success manager – they have something special for you! 

See how CoreView can help you with this

Learn more about securing and optimizing your M365 and other SaaS applications.