Exchange/Outlook Autodiscover Bug Spills $100K+ Email Passwords

3 weeks ago

Hundreds of thousands of email credentials, galore of which treble arsenic Active Directory domain credentials, came done to credential-trapping domains successful wide text.

Guardicore information researcher Amit Serper has discovered a terrible plan bug successful MIcrosoft Exchange’s autodiscover – a protocol that lets users easy configure applications specified arsenic Microsoft Outlook with conscionable email addresses and passwords.

The flaw has caused the Autodiscover work to leak astir 100,000 unsocial login names and passwords for Windows domains worldwide, Serper said successful a method report released this week.

“This is simply a terrible information issue, since if an attacker tin power specified domains oregon has the quality to ‘sniff’ postulation successful the aforesaid network, they tin seizure domain credentials successful plain substance (HTTP basal authentication) that are being transferred implicit the wire,” helium said.

Infosec Insiders Newsletter

“Moreover, if the attacker has DNS-poisoning capabilities connected a ample standard (such arsenic a nation-state attacker), they could systematically syphon retired leaky passwords done a large-scale DNS poisoning run based connected these Autodiscover TLDs [top-level domains],” Serpa wrote.

The plan flaw causes the protocol to leak web requests to Autodiscover domains extracurricular of the user’s ain domain if they’re successful the aforesaid TLD – i.e., Guardicore picked up a slew of those domains and recovered that researchers could acceptable them up to intercept clear-text relationship credentials for hapless users experiencing web difficulties oregon whose admins goofed connected configuring DNS.

Domain-buying Spree

Guardicore Labs picked up 11 Autodiscover domains with TLD suffixes that spanned the globe and which are listed below. Between April 16 and Aug. 25, 2021, researchers acceptable up these domains to link with a web server Guardicore controlled, frankincense configuring the domains to service arsenic proof-of-concept credential traps.

  • – Brazil
  • – China
  • – Columbia
  • – Spain
  • – France
  • – India
  • – Italy
  • – Singapore
  • – United Kingdom

Those credential traps opened the floodgate to “a massive” leak of valid Windows domain credentials, according to Serper’s writeup. Over that four-month period, Guardicore captured 372,072 Windows domain credentials and 96,671 unsocial credentials leaked retired of applications including Microsoft Outlook, mobile email clients and different apps that interface with Microsoft’s Exchange server.

To apical it each off, Guardicore developed an onslaught that downgrades a client’s authentication scheme, elbowing it disconnected of a unafraid 1 specified arsenic OAuth oregon HTLM and replacing it with HTTP Basic authentication, which sends credentials successful wide text.

Thus, those hundreds of thousands of email credentials, galore of which treble arsenic Active Directory domain credentials, came done to the credential-trapping domains successful wide text.

The Problem: A POX Upon Your Protocol

The weakness Guardicore discovered has to bash with a circumstantial implementation of Autodiscover based connected the POX (aka “plain aged XML”) XML protocol, done which applications speech earthy XML documents utilizing modular transportation protocols specified arsenic HTTP, SMTP and FTP, oregon by utilizing proprietary protocols, specified arsenic message-oriented middleware.

After adding a caller Microsoft Exchange relationship to Outlook via its car relationship setup, a punctual requests a user’s username and password. After the idiosyncratic obliges, Outlook tries to usage Autodiscover to configure the client.

Autodiscover attempts to enactment unneurotic a URL to fetch configuration information baked connected the email domain successful immoderate of these formats that harvester email domain, subdomain and a way string:


Falling that, it starts a “back-off” procedure, and therein lies the rub.

As Serper explained, this back-off mechanics “is the culprit of this leak due to the fact that it is ever trying to resoluteness the Autodiscover information of the domain and it volition ever effort to ‘fail up,’ truthful to speak.”

On its adjacent effort to physique an Autodiscover URL, the process would concoct “,” meaning that each of the requests that can’t scope the archetypal domain autumn into the thigh of whoever owns

The Autodiscover back-off process. Source: Guardicore.

After the HTTP GET requests to its purchased domains started to arrive, Guardicore was amazed to observe that galore requested the comparative way of /Autodiscover/Autodiscover.xml with the Authorization header pre-populated with credentials.

“The absorbing contented with a ample magnitude of the requests that we received was that determination was nary effort connected the client’s broadside to cheque if the assets is available, oregon adjacent exists connected the server, earlier sending an authenticated request,” Serper commented. “Usually, the mode to instrumentality specified a script would beryllium to archetypal cheque if the assets that the lawsuit is requesting is valid, since it could beryllium non existent (which volition trigger an HTTP 404 error) oregon it whitethorn beryllium password protected (which volition trigger an HTTP 401 mistake code).”

He continued, “Between Apr 16, 2021 to Aug 25, 2021 we person captured a ample fig of credentials this way, needless to say, without sending a azygous packet different than what’s required to found an HTTP/HTTPS league betwixt our server and the miscellaneous clients.”

Requests breakdown. Source: Guardicore.

The requests – and their leaked credentials – came successful from a wide scope of sources: publically traded Chinese companies. Investment banks, nutrient manufacturers, powerfulness plants, powerfulness delivery, existent estate, shipping and logistics, and jewelry companies.

Given that Microsoft Exchange is portion of Microsoft’s “domain suite” of products, the information that anybody who has credentials to log successful to Exchange inboxes of specified businesses – and, successful astir cases, besides to their domain credentials – sets the signifier for a satellite of cybersecurity hurt. “The implications of a domain credential leak successful specified standard are massive, and tin enactment organizations successful peril” Serber stressed. “Especially successful today’s ransomware-attacks ravaged-world – the easiest mode for an attacker to summation introduction into an enactment is to usage morganatic and valid credentials.”

Guardicore sees a spot of irony successful each this: Attackers effort hard to weasel credentials retired of users, beryllium it done societal engineering, phishing oregon immoderate person you. This credentials leakage is similar pennies from eden for menace actors, though, coming arsenic it does owed to a plan flaw successful protocol meant to streamline IT operations erstwhile it comes to email lawsuit configuration. It “emphasises the value of due segmentation and Zero trust,” Serper wrote.

A Design Flaw That’s Been Known About for Years

As of Thursday, the flaw hadn’t been patched, and Microsoft Senior Director Jeff Jones told Ars Technica that Guardicore disclosed the flaw publically anterior to reporting it to the company. But arsenic a Guardicore spokesperson told Threatpost connected Friday, it’s not the archetypal clip that the flaw has been publically reported.

“We did not notify Microsoft initially due to the fact that the protocol flaw isn’t new,” the Guardicore typical said via email. “We were conscionable capable to exploit it astatine a monolithic scale.”

In fact, arsenic Guardicore’s insubstantial outlined, the flaw was discovered successful 2017 by Shape Security and described successful a paper that elaborate however the leak tin beryllium caused by Autodiscover implementations connected email clients connected mobile phones, specified arsenic Samsung’s email lawsuit connected Android and Apple Mail connected iOS (CVE-2016-9940, CVE-2017-2414).

Here we are, 4 years later, and the concern has conscionable gotten worse, Guardicore said successful the report:

The vulnerabilities disclosed by Shape Security were patched, yet, present we are successful 2021 with a importantly larger menace landscape, dealing with the nonstop aforesaid occupation lone with much third-party applications extracurricular of email clients. These applications are exposing their users to the aforesaid risks. We person initiated liable disclosure processes with immoderate of the vendors affected.

In a Thursday Tweet stream, Serper called retired Microsoft for lagging – for years – successful a effect to this known flaw. “Microsoft had plentifulness of clip to hole oregon code this issue, either by patching products [or] conscionable buying each of the autodiscover TLDs (which they are doing close now),” helium wrote.

The researcher pointed to this flaw’s past of probe papers (such arsenic Shape Security’s paper), Black Hat league talks (there was 1 specified past month: It covered however Autodiscover formed a part of the ProxyShell vulnerabilities and attacks) and quality articles “proving that these issues were known.”

1/n Thread: Last happening astir the full Microsoft conundrum due to the fact that I really person much pressing issues to woody with: Microsoft's effort via their PR feline and the MVPs that person been dogpiling connected maine present and connected LinkedIn are missing a point. This contented was known for years

— Amit Serper (@0xAmit) September 23, 2021

Microsoft hadn’t responded to Threatpost’s petition for remark by the clip this nonfiction was published. Guardicore is readying to merchandise much details arsenic a followup to the insubstantial it released this week.

How to Plug the Leaks

Unfortunately, the quality isn’t large for the wide public: After all, Autodiscover was designed to spare them from sinking up to their elbows successful the guts of email lawsuit configuration, and mitigation requires rolling up shirtsleeves. But for users who don’t caput plunging in, Guardicore did connection these protective measures:

  • Make definite that you are actively blocking Autodiscover. domains (such arsenic, etc) successful your firewall.
  • When deploying/configuring Exchange setups, marque definite that enactment for basal authentication is disabled – utilizing HTTP basal authentication is the aforesaid arsenic sending a password successful wide substance implicit the wire.
  • A broad textual database of each apical level domains tin beryllium recovered successful the pursuing url:
    • We person prepared a txt record with each imaginable Autodiscover.TLD domains which tin beryllium added to your section hosts record oregon firewall configuration successful bid to mitigate the hazard of having specified Autodiscover domains resolve. Please cheque our github repository for much information:

For developers and vendors, the institution offered this tip:

  • Make definite that erstwhile you are implementing the Autodiscover protocol successful your merchandise you are not letting it “fail upwards”, meaning that domains specified arsenic “Autodiscover.” should ne'er beryllium constructed by the “back-off” algorithm.

The Buck Stops With Microsoft

Saryu Nayyar, CEO of risk-analytics supplier Gurucul, told Threatpost that we tin each convey our fortunate stars that the credentials were grabbed by Guardicore – the “good guys,” arsenic she called them.

“That doesn’t mean that we tin remainder easy, however,” she cautioned. “If researchers recognize the quality of the vulnerability and cognize however to exploit it, it’s a abbreviated nexus to attackers exploiting it. Those organizations utilizing elaborate information analytics tin easy find if a login oregon entree petition is morganatic and analyse and remediate if necessary. This is simply a wide and terrible weakness, but 1 that organizations tin observe and respond to.”

Alicia Townsend, exertion evangelist astatine individuality and entree absorption steadfast OneLogin, told Threatpost that it seems “incredible” that a merchandise would nonstop a user’s username and password to an untrusted endpoint.

“The information that this is happening with an incredibly fashionable Microsoft merchandise specified arsenic Exchange is adjacent much disheartening,” she noted. “But possibly the reply lies successful the information that it is happening successful a merchandise that has been astir for truthful long.”

Townsend pointed retired it’s not wide however agelong this plan flaw has been around, fixed that the Exchange Autodiscover diagnostic was introduced successful Exchange 2007. Either way, it doesn’t radiance a bully airy connected Microsoft. “Whether the oversight was connected the portion of aboriginal developers oregon was introduced by much caller developers, it is wide that Security First was not their superior objective,” she said.

Still, the subordinate stops successful Redmond, Townsend said. “It is the work of each bundle manufacturers some connected prem and successful the unreality to guarantee that their developers are educated connected however to make and trial for unafraid code. We request to beryllium continually evaluating our products for imaginable information risks. We request to measure not conscionable caller functionality but existing functionality, due to the fact that arsenic we tin spot with the Exchange Autodiscover feature, thing could person been designed into the diagnostic years agone and nary 1 has been alert of it. Customers enactment their spot successful america and we request to beryllium ever vigilant.”

Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t person the basics down. JOIN Threatpost and Linux information pros astatine Uptycs for a LIVE roundtable connected the 4 Golden Rules of Linux Security. Your apical takeaway volition beryllium a Linux roadmap to getting the basics right! REGISTER NOW and articulation the LIVE lawsuit connected Sept. 29 astatine Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who volition spell retired Linux information champion practices and instrumentality your astir pressing questions successful existent time.