A serious Microsoft Exchange security flaw is going unaddressed

Bad Bots
(Image credit: Gonin / Shutterstock)
Audio player loading…

A design flaw in an integral feature of the Microsoft Exchange (opens in new tab) email server can be abused to harvest Windows domain and app credentials, according to cybersecurity (opens in new tab) researchers..

Sharing details about the bug in a blog post, Guardicore (opens in new tab) researchers note that the issue exists in the Microsoft Autodiscover protocol, which helps email clients discover Exchange email (opens in new tab) servers in order to receive proper configurations. 

“[Autodiscover] has a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside of the user’s domain but in the same TLD (i.e. Autodiscover.com),” shares (opens in new tab) Amit Serper, AVP of Security Research at Guardicore, adding that such a move could help attackers extract credentials from the leaky Autodiscover requests.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window (opens in new tab) <<

To test this behavior, Guardicore Labs acquired multiple Autodiscover domains with a TLD suffix and set them up to reach a web server (opens in new tab) under their control, and the results were surprising.

Severe security issue

In a little over four months, Guardicore managed to capture 96,671 unique credentials that leaked from various applications including Microsoft Outlook (opens in new tab), mobile email clients (opens in new tab) and other applications, as they attempted to interface with Microsoft’s Exchange server.

Serper refers to this behavior as a “severe security issue” since it could enable an attacker with large-scale DNS-poisoning capabilities, such as state-sponsored actors, to syphon passwords by launching a large-scale DNS poisoning campaign based on the Autodiscover TLDs.

Moreover, although all the collected credentials came via unencrypted HTTP basic authentication connections, Serper shares details of an attack, which can even help them capture from more secure forms of authentication such as OAuth.

In an email statement to The Record, Microsoft acknowledged that it is investigating Guardicore’s findings, adding however that the security company didn’t report it to Microsoft before sharing the details in public.

Via The Record (opens in new tab)

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.