Problem description:

When enabling Man in the Browser (MITB) Protection for OWA authentication pages, the password encryption may not function as expected.

Symptoms include:

• The password value is visible in plaintext within the POST request.
• 'fetcherror' displayed in browser developer tools (e.g., Firefox DevTools or HAR export).
• MitB obfuscation works properly, but encryption fails.

This behavior is due to OWA’s built-in JavaScript form submission method (document.logonForm.submit();), which bypasses MitB’s injected encryption script.

Solution:

A configuration adjustment and URL rewrite rule are required for MitB to correctly encrypt credentials on the OWA login form.

Below are the steps:

1. Configure MitB rule with explicit URLs.

Avoid using wildcard URLs (such as /owa/*) that may cause MitB to be triggered for multiple unrelated paths. Instead, configure the exact GET and POST URLs as shown below:

config waf mitb-rule
    edit "owa_mitb_rule"
        set request-type regular
        set request-url /owa/auth/logon.aspx
        set post-url /owa/auth.owa
        config protected-parameter-list
            edit "username"
            next
            edit "password"
                set type password-input
                set encrypt enable
            next
        end
        config allowed-external-domains-list
        end
        set ajaxcheck enable
    next
end

2. Modify OWA logon form behavior.

OWA’s native script uses a hidden form submission call that prevents MITB’s injected encryption logic from executing.

To fix this, a URL rewrite rule must modify this behavior.

Create the following URL Rewrite Rule and assign it to the relevant Server Policy or URL Rewriting Policy protecting Exchange OWA.

config waf url-rewrite url-rewrite-rule
    edit "trig_submit"
        set action http-response-body-rewrite
        set body_replace "var submitEvent = new Event(\"submit\"); document.logonForm.dispatchEvent(submitEvent);document.logonForm.submit();"
        config match-condition
            edit 1
                set object http-body
                set reg-exp "document.logonForm.submit\\(\\);"
            next
        end
    next
end

This modification ensures that the form’s submit event is properly triggered, allowing MitB’s injected JavaScript to perform encryption of the password field before submission.

3. Assign rewrite rule.

Once created, assign the URL rewrite rule (trig_submit) to the URL Rewriting Policy linked to the Exchange OWA Server Policy.

• Navigate to Web Protection -> URL Rewriting -> URL Rewrite Policy.
• Edit the policy used by the Exchange OWA Server Policy.
• Add the trig_submit rule.

Finally, apply and save the changes.

Verification:

• Re-enable MitB protection for OWA.
• Clear the browser cache and reload the OWA login page.
• Open browser DevTools -> Network -> auth.owa POST request.
• Confirm that the password field is encrypted (not visible in plaintext).

Conclusion:

The MitB encryption issue with Microsoft Exchange OWA occurs because OWA’s form submission script bypasses the MitB injection.

By explicitly defining the URLs and using a URL Rewrite Rule to adjust form submission behavior, the MitB protection feature successfully encrypts the password field during login.