Microsoft Exchange Autodiscover bug leaked 100,000 credentials

by Emma Davis
September 24, 2021
Microsoft Exchange Autodiscover bug
Written by Emma Davis

Guardicore researchers have discovered a serious bug in Microsoft Exchange Autodiscover: the problem can be abused to collect credentials from Windows domain and applications. Because of this, approximately 100,000 logins and passwords have already leaked from Windows domains of users from all over the world.

The root of the problem lies in the incorrect operation of the Microsoft Autodiscover protocol. With this feature, mail clients can automatically discover mail servers, provide them with credentials, and get the appropriate settings. Autodiscover is an important part of Exchange because it allows administrators to easily verify that clients are using the correct settings for SMTP, IMAP, LDAP, WebDAV, and so on.

To obtain automatic settings, email clients typically ping against a set of predefined URLs that derive from the email address configured on the client. For example, the experts used the mail amit@example.com and the client tried to use:

  • https://autodiscover.example.com/autodiscover/autodiscover.xml
  • http://autodiscover.example.com/autodiscover/autodiscover.xml
  • https://example.com/autodiscover/autodiscover.xml
  • http://example.com/autodiscover/autodiscover.xml

Guardicore explains that the client will iterate over URLs until it is successfully authenticated to the Microsoft Exchange server and receives configuration information. In addition, this mechanism has a “rollback” procedure that is triggered if the client does not find the Autodiscover Exchange endpoint.

This mechanism is the culprit of the leak, as it always tries to resolve the Autodiscover part of the domain and will always try toβ€œ fail, ”so to speak. That is, our next attempt to create the Autodiscover URL is http://autodiscover.com/autodiscover/autodiscover.xml. This means that the owner of autodiscover.com will receive all requests that could not reach the desired domain.the experts write.

Based on these findings, the company registered a number of Autodiscover domains that were available and launched honeypots on them. Among them:

  • Autodiscover.com.br (Brazil);
  • Autodiscover.com.cn (China);
  • Autodiscover.com.co (Colombia);
  • Autodiscover.es (Spain);
  • Autodiscover.fr (France);
  • Autodiscover.in (India);
  • Autodiscover.it (Italy);
  • Autodiscover.sg (Singapore);
  • Autodiscover.uk (Great Britain);
  • Autodiscover.xyz;
  • Autodiscover.online.
Microsoft Exchange Autodiscover bug

Attempting to connect to Autodiscover.xyz

For more than four months, from April 16, 2021 to August 25, 2021, these servers received hundreds of requests with thousands of credentials from users who tried to set up their mail clients, but they could not find a suitable Autodiscover endpoint. It is emphasized that before sending an authenticated request, clients did not even try to check if the resource was available and if it even existed.

Guardicore intercepted 372,072 credentials from Windows domains and 96,671 unique accounts from various applications such as Microsoft Outlook.the researchers said.

It ended up with an impressive collection of credentials for a wide variety of companies and businesses, including food manufacturers, banks, power plants, real estate, shipping and logistics, fashion and jewellery firms, and a number of publicly traded Chinese companies.

Although all credentials came over unencrypted HTTP connections, the researchers also detail how to collect credentials using NTLM and Oauth.

Since there are no patches yet, and Microsoft has not commented on the situation, the researchers advise companies to block any Autodiscover domains at the firewall or DNS level so that devices cannot connect to them (the company has prepared a list of such domains). It is also recommended to disable Basic Authentication as it sends credentials in clear text.

Let me remind you that recently vulnerabilities in Microsoft Exchange have affected tens of thousands of organizations.

Emma Davis
Emma Davis
IT Security Expert
It is better to prevent, than repair and repent!
When we talk about the intrusion of unfamiliar programs into your computer's work, the proverb "Forewarned is forearmed" describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.
Anti-Malware
DOWNLOAD NOW
Gridinsoft Anti-Malware 6-day trial available.
EULA | Privacy Policy | 10% Off Coupon
Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.
Sending
User Review
5 (1 vote)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending