Microsoft Exchange’s Autodiscover protocol found leaking Windows domain credentials

A design flaw in Microsoft Exchange’s Autodiscover protocol has been caught leaking hundreds of thousands of Windows domain credentials.

In a recent report, Amit Serper, Guardicore's AVP of Security Research, flagged the flaw, an implementation issue of sorts, that caused usernames and passwords to be sent to Autodiscover domains outside of the user’s domain but in the same top-level domain.

Between April 16, 2021 and August 25, 2021, he was able to capture 372,072 Windows domain credentials, including 96,671 unique credentials that leaked from various applications such as Microsoft Outlook, mobile email clients and other apps interfacing with Microsoft’s Exchange server.

Exchange uses the Autodiscover feature to automatically configure a user's email client – like Outlook – with the settings pre-defined by their organisation. As the user signs into the client, it parses the email and tries to build an Autodiscover URL for username/password authentication.

For amit@example.com, tested by Guardicore, the client tried connecting with https://Autodiscover.example.com/Autodiscover/Autodiscover.xml, http://Autodiscover.example.com/Autodiscover/Autodiscover.xml, https://example.com/Autodiscover/Autodiscover.xml, and http://example.com/Autodiscover/Autodiscover.xml.

But, when none of the primary URLs responded, some clients, including Outlook, began a “back off” process which tried to resolve the Autodiscover portion of the domain, creating a URL like http://Autodiscover.com/Autodiscover/Autodiscover.xml.

This mechanism in particular has been causing the leak as whoever owns Autodiscover.com will receive all of the login requests that cannot reach the original (example.com) domain.

Serper tested the issue by registering various autodiscover domains -- such as autodiscover.com.br, Autodiscover.com.cn, and autodiscover.com.co -- and assigning them to a web server under his control. Soon, he started seeing significant amounts of requests to Autodiscover endpoints from various domains, IP addresses and clients.

Many sent credentials using Basic authentications, making them viewable in clear text.

The domains that sent the credentials were those from publicly traded companies in the Chinese market, food manufacturers, investment banks, power plants, power delivery firms, real estate companies, shipping and logistics organisations, and fashion and jewelry businesses.

Commenting on the issue, Jeff Jones, senior director at Microsoft told Bleeping Computer, "We are actively investigating and will take appropriate steps to protect customers.”

“We are committed to coordinated vulnerability disclosure, an industry standard, collaborative approach that reduces unnecessary risk for customers before issues are made public. Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today,” Jones added.