Microsoft logo above its headquarters showing leaked credentials by Microsoft Exchange protocol

Microsoft Exchange Server’s Autodiscover Feature Leaked Credentials of Over 100,000 Users To Third-Party Untrusted Domains

Microsoft Exchange server’s incorrect implementation of the Autodiscover feature leaked at least 100,000 login names and passwords of Windows domains, according to Guardicore’s AVP of Security Research Amit Serper.

The Autodiscover feature allows Microsoft’s and third-party email clients to acquire configuration settings automatically from Microsoft Exchange servers. Microsoft says the feature enables users to configure their mail clients with “minimal user input.”

However, the researcher discovered that the feature leaked credentials to untrusted third-party websites.

Additionally, email client applications such as Microsoft Outlook sent the credentials using HTTP Basic authentications, in plaintext format.

Microsoft Exchange servers authenticate on third-party web servers

The bug originates from how Microsoft exchange handles authentication for email clients like Microsoft Outlook.

According to the researchers, when a user enters an email address and password combination, the client attempts to find the configuration URL in the Service Connection Point (SCP) in the Active Directory Domain Services (AD DS).

If the client has no access to AD DS, the mail client attempts to authentication on various autogenerated Microsoft Exchange Autodiscover URLs. The mail client attempts to build an Autodiscover URL from the users’ email addresses.

Subsequently, the Microsoft Exchange server client sends the users’ login credentials to the Autodiscover endpoints and waits for a response.

However, if the mail client cannot authenticate on a given URL, it creates more authentication URLs and attempts to authenticate on them by sending the user’s login credentials.

For example, if a user enters an email address like “user@example.com,” the mail client would generate the following URLs.

  • https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
  • http://Autodiscover.example.com/Autodiscover/Autodiscover.xml
  • https://example.com/Autodiscover/Autodiscover.xml
  • http://example.com/Autodiscover/Autodiscover.xml

Serper says that the mail client would try to authenticate against each URL until one succeeded and sent back configuration details to the client.

However, if authentication fails on all the above authentication domains, the email client would create additional Autodiscover URLs using top-level domains, like autodiscover.[tld] domain.

For example, the email client will create http://autodiscover.com/Autodiscover/autodiscover.xml to authenticate users when all the autogenerated Autodiscover domains fail.

Sadly, most email client users rarely own the top-level authentication domains or understand that their servers leaked credentials on these domains. Thus, attackers could set up top-level Autodiscover authentication domains to collect users’ leaked credentials.

“For Exchange Web Services (EWS) clients, Autodiscover is typically used to find the EWS endpoint URL, but Autodiscover can also provide information to configure clients that use other protocols,” the researchers wrote. “Autodiscover works for client applications that are inside or outside firewalls and will work in resource forest and multiple forest scenarios.”

Email clients sent leaked credentials in plaintext

The researchers found that email clients sent the authentication details using basic HTTP authentication, thus making them visible to potential attackers. Additionally, Serper also discovered that requests sent through NTLM and OAuth could be downgraded through the “the ol’ switcheroo” method.

The researchers registered several Autodiscover domains using top-level TLDs to collect leaked credentials. They received 648,976 HTTP requests, 372,072 Basic authentication requests, and 96,671 unique pre-authenticated requests.

Guardicore researchers recommended blocking all top-level authentication domains to prevent email clients from connecting and leaking credentials. Additionally, they should disable Basic authentication that sends leaked credentials in plaintext.

Microsoft’s Senior Director Jeff Jones said the company was actively investigating the design flaw and would take appropriate steps to protect customers.

He also noted that Guardicore researchers publicized the bug without informing Microsoft in advance, thus putting users at risk. It’s unclear whether threat actors had compromised any Microsoft exchange clients using the leaked credentials.

Alicia Townsend, Technology Evangelist, OneLogin, said it was disheartening that this security flaw was discovered in a mature product like Microsoft exchange server.

“But maybe the answer lies in the fact that it is happening in a product that has been around for so long,” Townsend said. “The Exchange Autodiscover feature which is the feature at the heart of this new vulnerability was introduced in Exchange 2007.”

“It is unclear as to whether or not this flaw in the design has been around that long. Whether the oversight was on the part of early developers or was introduced by more recent developers, it is clear that Security First was not their primary objective.”

Email clients searched for the Autodiscover URL on Active Directory Domain Services and defaulted to autogenerated top-level domains created using users’ emails. #cybersecurity #respectdataClick to Tweet

She added that software manufacturers had the responsibility of ensuring that their developers were educated on creating and securing their code.

“We need to evaluate not just new functionality but existing functionality because as we can see with the Exchange Autodiscover feature, something could have been designed into the feature years ago and no one has been aware of it. Customers put their trust in us and we need to be ever vigilant.”