In short, attackers of a Cybereason client installed a malicious .dll file which was used by OWA as part of the authentication mechanism…. Authenticating users against the Active Directory server. It also installed an ISAPI filter into the IIS server and was filtering HTTP requests. Once installed, the malware wrote all usernames and passwords to an encrypted .txt file on the C Drive. Then it passively waited for instructions from the attackers via HTTPS.
Unfortunately, Cybereason has not shared the malware for creation of signatures or hashes. They have explained that the malware is custom to the victim, so traditional endpoint signatures would likely not work anyway. Further, there is no known C2 domains or IP addresses, as the malware was apparently discovered prior to responding to additional commands.
Cybereason did reveal, however, the name of the malicious file: OWAAUTH.DLL
An RSA ECAT customer can use the Global Module List to CTRL-F search for that file name: OWAAUTH.DLL
If the file(s) appear without a valid Microsoft signature, you may have been compromised by this attack and should begin response procedures. If the attacker followed the same protocol as the Cybereason report outlined, there is also an encrypted file named log.txt, stored in C:\. It may contain lots of domain credentials, so should be treated accordingly.