A bug in Microsoft Exchange Autodiscover feature leaks +372K of domain credentials

Pierluigi Paganini September 23, 2021

A flaw in the Microsoft Exchange Autodiscover feature can be exploited to harvest Windows domain and app credentials.

Security researchers from Guardicore discovered a flaw in the Microsoft Exchange Autodiscover feature that can be exploited to harvest Windows domain and app credentials from users worldwide.

The Microsoft Autodiscover protocol feature of Exchange email servers provides an easy way for user clients’ application to configure themselves with minimal user input. According to Microsoft, most users know their email address and password, and with those two pieces of information, you can retrieve all the other details you need to get up and running.

Email clients typically query multiple predetermined URLs derived from the user’s email address domain to automatically configure themselves.

According to Guardicore, the issue is due to the following issues, the “back-off” algorithm, and the poor implementation of the above protocol in some applications.

The experts discovered that the autodiscovery mechanism used a “back-off” procedure in case it doesn’t find the Exchange server’s Autodiscover endpoint.

Below, the way the Autodiscover works:

  1. The client parses the email address supplied by the user – [email protected].
  2. The client then tries to build an Autodiscover URL based on the email address with the following format:
    • https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
    • http://Autodiscover.example.com/Autodiscover/Autodiscover.xml
    • https://example.com/Autodiscover/Autodiscover.xml
    • http://example.com/Autodiscover/Autodiscover.xml

When none of these URLs are responding, the Autodiscover will start its “back-off” procedure.

“This “back-off” mechanism is the culprit of this leak because it is always trying to resolve the autodiscover portion of the domain and it will always try to “fail up” so to speak. Meaning, the result of the next attempt to build an autodiscover URL would be: http://autodiscover.com/autodiscover/autodiscover.xml. This means that whoever owns autodiscover.com will receive all of the requests that can’t reach the original domain.” reads the analysis published by Guardicore.

Amit Serper, AVP of Security Research, North America, Guardicore registered the following Autodiscover-based domains in the attempt to see if they were contacted by the clients:

  • Autodiscover.com.br – Brazil 
  • Autodiscover.com.cn – China 
  • Autodiscover.com.co – Columbia 
  • Autodiscover.es – Spain 
  • Autodiscover.fr – France 
  • Autodiscover.in – India 
  • Autodiscover.it – Italy 
  • Autodiscover.sg – Singapore 
  • Autodiscover.uk – United Kingdom 
  • Autodiscover.xyz 
  • Autodiscover.online

Between April 16, 2021, and August 25, 2021, the servers set up by the security firm received hundreds of requests, complete with thousands of credentials.

Microsoft Exchange Autodiscover

The experts have captured a total of 372,072 Windows domain credentials and 96,671 unique credentials from various applications such as Microsoft Outlook.

“Later, these domains were assigned to a webserver in our control and we were simply waiting for web requests for various Autodiscover endpoints to arrive. To our surprise, we started seeing significant amounts of requests to Autodiscover endpoints from various domains, IP addresses and clients.” continues the report.”The most notable thing about these requests was that they requested the relative path of /Autodiscover/Autodiscover.xml with the Authorization header already populated with credentials in HTTP basic authentication.”

Experts were able to find credentials from various companies across multiple verticals, including

  • Fashion and jewelry
  • Food manufacturers 
  • Investment banks 
  • Power plants 
  • Power delivery 
  • Publicly traded companies in the Chinese market 
  • Real estate  
  • Shipping and logistics 

“When observing the logs of the HTTP server, we can clearly see that the client is successfully downgraded after receiving the HTTP 401 response from the server, telling it to use HTTP Basic Authentication:” reads the analysis published by the experts.

Guardicore shared its findings with Microsoft that is actively investigating and announced that will take appropriate steps to protect customers.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Turla)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment