Errors while implementing the Microsoft Exchange Autodiscover feature have leaked approximately 100.000 login names and passwords for Windows domains worldwide.
In a new report by Amit Serper, Guardicore's AVP of Security Security, the researcher reveals how the implementation of the Autodiscover protocol causes Windows credentials to be sent to unreliable third-party sites.
What is Microsoft Exchange Autodiscover?
Microsoft Exchange uses an Autodiscover feature to automatically configure a user's mail client, such as Microsoft Outlook, with their organization's preset mail settings.
When an Exchange user enters their email address and password into a mail client such as Microsoft Outlook, the mail client then tries to authenticate to various Exchange Autodiscover URLs.
During this authentication process, the login name and password are automatically sent to the Autodiscover URL.
The Autodiscover URLs to which they will link come from the client-configured email address.
For example, when Serper tested Autodiscover using the email 'firstname.lastname@example.org', it found that the mail client tried to authenticate to the following Autodiscover URLs:
The mail client would test each URL until it was successfully authenticated to the Microsoft Exchange server and the configuration information was sent back to the client.
Leakage of credentials in external domains
If the client could not authenticate to the above URLs, Serper found that some mail clients, including Microsoft Outlook, would perform a "back-off" process. This process attempts to generate additional URLs for authentication, such as in the autodiscover domain. [Tld], where the TLD comes from the user's email address.
In this case, the URL that is created is http://Autodiscover.com/Autodiscover/Autodiscover.xml.
In a new report by Amit Serper, Guardicore's AVP on Security Research, the researcher reveals how the implementation of the Autodiscover protocol causes mail clients to be identified in unreliable domains, such as autodiscover.com.
As the email user's organization does not own this domain and the credentials are automatically sent to the URL, it will allow the domain owner to collect any credentials sent to him.
Microsoft Exchange Autodiscover leak mitigation
Serper has provided some suggestions that organizations and developers can use to mitigate these Microsoft Exchange Automatic Detection leaks.
For organizations that use Microsoft Exchange, they should block all Autodiscover. [Tld] domains in the firewall or DNS server so that your devices can not connect to them. Organizations are also advised to disable basic authentication, as it essentially sends credentials to cleartext.
Source of information: bleepingcomputer.com