Search
Close this search box.

How a Microsoft Exchange bug exposed ~100,000 Windows credentials

Share:

An unpatched design flaw in the implementation of Microsoft Exchange’s Autodiscover protocol has resulted in the leak of approximately 100,000 login names and passwords for Windows domains worldwide.

Key takeaways

  • Over 100,000 logins and passwords leaked
  • American security firm Guardicore was able to access requests to Autodiscover endpoints from different domains, IP addresses, and clients, netting 96,671 unique credentials sent from Outlook, mobile email clients, and other applications
  • The activity took place over a 4 month period earlier this year, ending in August


An unpatched design flaw in the implementation of Microsoft Exchange’s Autodiscover protocol has resulted in the leak of approximately 100,000 login names and passwords for Windows domains worldwide, led by the work of a security firm based in Boston.

This effectively means that if an attacker can control such domains or has the ability to sniff traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred electronically.

Further, if the attacker has DNS-poisoning capabilities on a large scale, they could systematically syphon leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs. This is well within the capabilities of many nation-state attackers whose personnel have been a constant feature in the cyber threat landscape in the last few years.

The Exchange Autodiscover service enables users to configure applications such as Microsoft Outlook with minimal user input, allowing just a combination of email addresses and passwords to be utilised to retrieve other predefined settings required to set up their email clients.

The weakness exists in a specific implementation of Autodiscover based on the POX XML protocol that causes the web requests to Autodiscover domains to be leaked outside of the user’s domain.

For instance, where a user’s email address is “[email protected],” the email client leverages Autodiscover to construct a URL to fetch configuration data using any of the below combinations of the email domain, a subdomain, and a path string, failing which it instantiates a “back-off” algorithm:

  • https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
  • https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
  • https://example.com/Autodiscover/Autodiscover.xml
  • https://example.com/Autodiscover/Autodiscover.xml

This ‘back-off’ mechanism is the culprit of this leak because it is always trying to resolve the Autodiscover portion of the domain and it will always try to ‘fail up’.

This means that the result of the next attempt to build an Autodiscover URL would be: ‘https://Autodiscover.com/Autodiscover/Autodiscover.xml.’

Hence, whoever owns Autodiscover.com will receive all of the requests that cannot reach the original domain.

Security firm Guardicore was able to access requests to Autodiscover endpoints from different domains, IP addresses, and clients, netting 96,671 unique credentials sent from Outlook, mobile email clients, and other applications interfacing with Microsoft’s Exchange server over a four-month period between April 16, 2021, and August 25, 2021.

The domains of those leaked credentials belonged to several entities from multiple verticals spanning publicly traded corporations in China, investment banks, food manufacturers, power plants, and real estate firms.

The firm developed an attack method that involved sending a request to the client to downgrade to a weaker authentication scheme (i.e., HTTP Basic authentication) in place of secure methods like OAuth or NTLM, prompting the email application to send the domain credentials in cleartext.

What Exchange users should do

To mitigate Autodiscover leaks, Exchange users should disable support for basic authentication and add a list of all possible Autodiscover.TLD domains to a local hosts file or firewall configuration to prevent unwanted Autodiscover domain resolution.

Software vendors are also advised to avoid implementing a “back-off” procedure that fails upwards to construct unforeseen domains like “Autodiscover”.

Oftent, attackers try to cause users to send them their credentials by applying various techniques, whether technical or through social engineering. This incident shows us that passwords can be leaked outside of the organisation’s perimeter by a protocol that was meant to streamline the IT department’s operations with regards to email client configuration.

All of this serves only to emphasise the importance of proper segmentation and Zero Trust.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Contact

Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.
Company

Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →

Services

Services

Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl
360

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution

Solutions
Resources

Resources

A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →