A bug in the Microsoft Exchange’s Autodiscover feature Jas leaked thousands of login names and passwords globally. Security researcher Amit Serper, Guardicore’s AVP of Security Research, discovered the design flaw in a feature of the Microsoft Exchange email server that can be abused to harvest Windows domain and app credentials.
Microsoft Exchange automatically configures a user’s mail client using the Autodiscover feature. While doing this configuration, when a user enters an email address and password into an email client, the mail client trued to authenticate to various Exchange Autodiscover URLs. During this authentication process, email and passwords are sent automatically to the Autodiscover URL.
Mail clients try each URL until it successfully authenticates to the Microsoft Exchange server. Then configuration information is sent back to the client. If the service didn’t find the Exchange server’s Autodiscover endpoint, it tries to use “back-off” procedure creating additional URLs such as autodiscover.[tld] domain.
Serper then registered several Autodiscover domains and set up web servers on each to see how many credentials he could get. Here’s the list of domains he registered.
- Autodiscover.com.br – Brazil
- Autodiscover.com.cn – China
- Autodiscover.com.co – Columbia
- Autodiscover.es – Spain
- Autodiscover.fr – France
- Autodiscover.in – India
- Autodiscover.it – Italy
- Autodiscover.sg – Singapore
- Autodiscover.uk – United Kingdom
- Autodiscover.xyz
- Autodiscover.online
After setting up these domains, he found thousands of requests with credentials from users who were trying to set up their email clients. All the collected credentials came via unencrypted HTTP basic authentication connections. He managed to capture 372,072 Windows domain credentials and 96,671 unique credentials from various applications such as Microsoft Outlook.
