Sharing details about the bug in a blog post, Guardicore researchers note that the issue exists in the Microsoft Autodiscover protocol, which helps email clients discover Exchange email servers in order to receive proper configurations.
“[Autodiscover] has a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside of the user’s domain but in the same TLD (i.e. Autodiscover.com),” shares Amit Serper, AVP of Security Research at Guardicore, adding that such a move could help attackers extract credentials from the leaky Autodiscover requests.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- Here are the best email services of 2021
- These are the best email hosting providers
- Also check our list of the best email clients
To test this behavior, Guardicore Labs acquired multiple Autodiscover domains with a TLD suffix and set them up to reach a web server under their control, and the results were surprising.
Severe security issue
In a little over four months, Guardicore managed to capture 96,671 unique credentials that leaked from various applications including Microsoft Outlook, mobile email clients and other applications, as they attempted to interface with Microsoft’s Exchange server.
Serper refers to this behavior as a “severe security issue” since it could enable an attacker with large-scale DNS-poisoning capabilities, such as state-sponsored actors, to syphon passwords by launching a large-scale DNS poisoning campaign based on the Autodiscover TLDs.
Moreover, although all the collected credentials came via unencrypted HTTP basic authentication connections, Serper shares details of an attack, which can even help them capture from more secure forms of authentication such as OAuth.
In an email statement to The Record, Microsoft acknowledged that it is investigating Guardicore’s findings, adding however that the security company didn’t report it to Microsoft before sharing the details in public.
- We've put together a list of the best endpoint protection software
Via The Record