Microsoft Exchange Autodiscover Flaw Leaked Over 100K Windows Credentials
A flawed implementation of the Autodiscover protocol is to blame for transmitting Windows credentials to untrusted third-party sites.
An erroneous implementation of the Autodiscover protocol, and not a flaw in Microsoft Exchange, is responsible for Windows credentials being transferred to third-party websites that are untrusted. The Autodiscover function of Microsoft Exchange allows users to have their organization's predetermined mail settings configured with their mail client, such as Microsoft Outlook.
Email clients, such as Microsoft Outlook, attempt to authenticate to numerous Exchange Autodiscover URLs when a user enters their email address and password. Autodiscover takes the login name and password, as well as the URL used to configure Autodiscover, and sends the data to the destination.
The URLs that Autodiscover will connect to are obtained from the email address that has been set in the client. For example, when using email '[email protected]', Serper discovered that Autodiscover features were used in the following ways: autodiscover.example.com/Autodiscover/Autodiscover.xml, autodiscover.example.com/Autodiscover/Autodiscover.xml, and autodiscover.example.com/Autodiscover/Autodiscover.xml.
Until the Outlook client successfully authenticated with the Microsoft Exchange server, the mail client attempted every URL until it retrieved configuration information and returned it back to the user. Based on Serper's findings, if the client could not authenticate to the above URLs, Microsoft Outlook implemented a "back-off" process. This procedure attempts to set up extra URLs like autodiscover[tld] for users to authenticate to. The Autodiscover URL, in this particular situation, is http://Autodiscover.com/Autodiscover/Autodiscover.xml.
Untrustworthy domains, such as autodiscover.com, begin the problem
To prevent the credentials from being transmitted to a domain that doesn't control the email address, the user's business does not own this domain, and credentials are automatically delivered to the URL. This means that the recipient can collect any credentials given to them.
To check how many passwords were leaked by the Microsoft Exchange Autodiscover function, Guardicore registered numerous domains and installed web servers on each to watch how many credentials were disclosed. Serper exploited these domains to discover that Microsoft Outlook used Basic authentication for users' email accounts, making their passwords readable.
In conducting these tests between April 20, 2021 and August 25, 2021, the Guardicore servers received: 372,072 Basic authentication requests, 96,671 unique pre-authenticated requests, and 648,976 HTTP requests targeting their Autodiscover domains.
Guardicore says the domains that sent their credentials include the following: Fashion and Jewelry, Shipping and Logistics, Real Estate, Utilities, Power Plants, Investment Banks, Food Manufacturers, Listed Companies in the Chinese Market.