The paper referenced below, analyzes a real and unique APT technique detected by the Cybereason platform. Cybereason is a team of ex-military cybersecurity experts providing Cyber incidents detection and response services.
The attack involved a malicious module that was loaded onto Microsoft Outlook Web Application (OWA), an internet-facing webmail server, which enabled the attackers to record authentication credentials and be provided with complete backdoor capabilities. By using this approach, the hackers managed to collect and retain ownership over a large set of credentials, allowing them to maintain persistent control over the organization's environment.
Cybereason full analysis report is available here - http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf