A design flaw in an integral feature of the Microsoft Exchange email server can be exploited to collect Windows domain and app credentials, according to cybersecurity researchers..
Share details about the bug in a blog post, Guardicore researchers note that the problem exists in the Microsoft Autodiscover protocol, which allows email clients to discover Exchange e-mail servers to receive the correct configurations.
“[Autodiscover] has a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside the user’s domain, but in the same TLD (i.e. Autodiscover.com),” shares Amit Serper, AVP of Security Research at Guardicore, adds that such a move could help attackers extract credentials from the leaking Autodiscover requests.
We take a look at how our readers use VPNs with streaming sites like Netflix so we can improve our content and provide better advice. This survey will take no more than 60 seconds of your time, and we would greatly appreciate it if you would share your experience with us.
To test this behavior, Guardicore Labs acquired multiple Autodiscover domains with a TLD suffix and set them up to reach a web server under their control, and the results were surprising.
Serious security issue
In just over four months, Guardicore managed to capture 96,671 unique credentials leaked from various applications, including: Microsoft Outlook, mobile email clients and other applications while trying to communicate with Microsoft’s Exchange server.
Serper refers to this behavior as a “serious security problem” because it could allow an attacker with large-scale DNS poisoning capabilities, such as state-sponsored actors, to siphon passwords by launching a large-scale DNS poisoning campaign based on the Autodiscover. TLDs.
In addition, while all of the credentials collected came through unencrypted HTTP basic authentication connections, Serper shares details of an attack, which can even help them capture more secure forms of authentication like OAuth.
In an email statement to The recordMicrosoft acknowledged that it is investigating Guardicore’s findings, but added that the security company did not report it to Microsoft until it shared the details publicly.
Through The record