A CSRF vuln in MS OWA till 2007 SP2 expose corporate/provider mail to be pwned.. Detail here:
Update: my further investigation revealed that vulnerable OWA platform (i can confirm till 2007 SP2 included) doesn't check the HTTP referrer of owa cmd query so exposing webmail to CSRF attack (Cross Site Request Forge).
Many action in OWA context can be exploited like setting a all-inbox forward rule, sending a forged mail, access&steal contact list, delete mail, etc..
Imagine all this combined togheter.. and you got the first amazing OWA worm (POC under development)!!
OWA 2007 patched in SP3
OWA 2003 no more supported, no party!! :-(