Microsoft Exchange Server’s Autodiscover feature leaked credentials of over 100,000 users to untrusted third-party domains

The incorrect implementation of the Autodiscover feature by the Microsoft Exchange server disclosed at least 100,000 Windows domain login names and passwords, according to Amit Serper, Guardicore’s vice president for security research.

The Autodiscover feature allows Microsoft and third-party email clients to automatically acquire configuration settings from Microsoft Exchange servers. Microsoft says the feature allows users to configure their email clients with “minimal user input.”

However, the researcher found that the feature leaked credentials to untrusted third-party websites.

Additionally, email client applications such as Microsoft Outlook sent credentials using HTTP Basic authentication, in plain text format.

Microsoft Exchange servers authenticate against third-party web servers

The bug stems from the way Microsoft Exchange handles authentication for email clients such as Microsoft Outlook.

According to the researchers, when a user enters an email address and a password, the client tries to find the configuration URL in the service connection point (SCP) in Active Directory Domain Services (AD DS ).

If the client does not have access to AD DS, the email client attempts to authenticate to various automatically generated Microsoft Exchange Autodiscover URLs. The email client attempts to create an Autodiscover URL from users’ email addresses.

Subsequently, the Microsoft Exchange server client sends user login credentials to Autodiscover endpoints and waits for a response.

However, if the email client cannot authenticate to a given URL, it creates other authentication URLs and attempts to authenticate to them by sending the user’s login credentials.

For example, if a user enters an email address such as “[email protected]”, the email client generates the following URLs.


Serper says the email client would try to authenticate on every URL until one is successful and sends the configuration details back to the client.

However, if authentication fails on all of the above authentication domains, the email client will create additional Autodiscover URLs using top level domains, like Autodiscover.[tld] domain.

For example, the email client will create to authenticate users when all auto-generated Autodiscover domains fail.

Unfortunately, most email client users rarely own the top-level authentication domains or understand that their servers have disclosed credentials to these domains. Thus, attackers could configure top-level Autodiscover authentication realms to collect leaked user credentials.

“For Exchange Web Services (EWS) clients, Autodiscover is typically used to find the URL of the EWS endpoint, but Autodiscover can also provide information to configure clients that use other protocols,” wrote the researchers. “Autodiscover works for client applications inside or outside firewalls and will work in a resource forest and multiple forest scenarios. “

Email clients sent leaked credentials in clear text

Researchers found that email clients sent authentication details using basic HTTP authentication, making them visible to potential attackers. Additionally, Serper also discovered that requests sent through NTLM and OAuth could be downgraded through the “old switcheroo” method.

Researchers registered multiple Autodiscover domains using top-level TLDs to collect leaked credentials. They received 648,976 HTTP requests, 372,072 Basic Authentication requests, and 96,671 unique pre-authenticated requests.

Guardicore researchers recommended blocking all top-level authentication domains to prevent email clients from logging in and disclosing credentials. In addition, they must disable Basic authentication that sends the disclosed credentials in the clear.

Microsoft Senior Director Jeff Jones said the company is actively investigating the design flaw and will take appropriate action to protect customers.

He also noted that Guardicore researchers made the bug public without notifying Microsoft in advance, putting users at risk. It is not clear whether the threat actors compromised Microsoft Exchange customers using the leaked credentials.

Alicia Townsend, Technology Evangelist, OneLogin, said it was disheartening that this security flaw was discovered in a mature product like Microsoft’s Exchange Server.

“But maybe the answer lies in the fact that it’s happening in a product that’s been around for so long,” Townsend said. “The Exchange Autodiscover feature, which is at the heart of this new vulnerability, was introduced in Exchange 2007.”

“We don’t know if this design flaw has been around for that long. Whether oblivion was on the part of the early developers or was introduced by more recent developers, it is clear that Security First was not their primary focus.

Email clients looked up the Autodiscover URL on Active Directory Domain Services and defaulted to auto-generated top-level domains created using user emails. # cybersecurity #respectdataClick to Tweet

She added that software makers have a responsibility to ensure that their developers are trained in creating and securing their code.

“We need to evaluate not only new features but also existing features because, as we can see with Exchange’s Autodiscover feature, something could have been built into the feature years ago and no one was aware of this. Customers trust us and we must always be vigilant.

Comments are closed.