Microsoft Exchange Autodiscover Leak
Microsoft Exchange Autodiscover protocol found leaking hundreds of thousands of credentials.
Email clients fail over to unexpected domains if they can’t find the right resources
Exchange’s Autodiscover protocol, specifically the version based on POX XML, provides a way for client applications to obtain the configuration data necessary to communicate with the Exchange server. It gets invoked, for example, when adding a new Exchange account to Outlook. After a user supplies a name, email address, and password, Outlook tries to use Autodiscover to set up the client. If the client doesn’t receive any response from these URLs – which would happen if Exchange was improperly configured or was somehow prevented from accessing the designated resources – the Autodiscover protocol tries a “back-off” algorithm that uses Autodiscover with a TLD as a hostname. “This ‘back-off’ mechanism is the culprit of this leak because it is always trying to resolve the Autodiscover portion of the domain and it will always try to ‘fail up,’ so to speak,” explained Amit Serper, Guardicore area vice president of security research for North America, in the report. “This means that whoever owns Autodiscover.com will receive all of the requests that cannot reach the original domain.”
Between April 16, 2021 and August 25, 2021, Guardicore received about 649,000 HTTP requests aimed at its Autodiscover domains, 372,000 requests with credentials in basic authentication, and roughly 97,000 unique pre-authentication requests.
The credentials came from publicly traded companies in China, food makers, investment banks, power plants, energy delivery firms, real estate businesses, shipping and logistics operations, and fashion/jewelry companies. Serper said he has no way of knowing whether anyone has abused this flaw. “However, since these protocol design flaws have been known for a while, I wouldn’t be surprised if a threat actor with DNS poisoning capabilities had tried it,” he said. “If a threat actor is in the same network as the victim (for example on the same LAN/WLAN), conducting a DNS poisoning attack in order to make the victim leak these credentials is a totally viable scenario.”
LATG knows how to fix this problem. Please contact us for an appointment.