Skip to main content

A serious Microsoft Exchange security flaw is going unaddressed

Bad Bots
(Image credit: Gonin / Shutterstock)

A design flaw in an integral feature of the Microsoft Exchange email server can be abused to harvest Windows domain and app credentials, according to cybersecurity researchers..

Sharing details about the bug in a blog post, Guardicore researchers note that the issue exists in the Microsoft Autodiscover protocol, which helps email clients discover Exchange email servers in order to receive proper configurations. 

“[Autodiscover] has a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside of the user’s domain but in the same TLD (i.e. Autodiscover.com),” shares Amit Serper, AVP of Security Research at Guardicore, adding that such a move could help attackers extract credentials from the leaky Autodiscover requests.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

To test this behavior, Guardicore Labs acquired multiple Autodiscover domains with a TLD suffix and set them up to reach a web server under their control, and the results were surprising.

Severe security issue

In a little over four months, Guardicore managed to capture 96,671 unique credentials that leaked from various applications including Microsoft Outlook, mobile email clients and other applications, as they attempted to interface with Microsoft’s Exchange server.

Serper refers to this behavior as a “severe security issue” since it could enable an attacker with large-scale DNS-poisoning capabilities, such as state-sponsored actors, to syphon passwords by launching a large-scale DNS poisoning campaign based on the Autodiscover TLDs.

Moreover, although all the collected credentials came via unencrypted HTTP basic authentication connections, Serper shares details of an attack, which can even help them capture from more secure forms of authentication such as OAuth.

In an email statement to The Record, Microsoft acknowledged that it is investigating Guardicore’s findings, adding however that the security company didn’t report it to Microsoft before sharing the details in public.

Via The Record

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.