Cybersecurity researchers have been able to capture hundreds of thousands of Windows domain and application credentials due to the design and implementation of the Autodiscover protocol used by Microsoft Exchange.
According to Microsoft, the Exchange Autodiscover service “provides an easy way for your client application to configure itself with minimal user input.” This allows users to, for example, configure their Outlook client by only needing to provide their username and password.
Back in 2017, researchers warned that implementation issues related to Autodiscover on mobile email clients could cause information leakage, and the vulnerabilities disclosed at the time were patched. However, an analysis conducted by cloud and data center security company Guardicore earlier this year showed that there are still some serious problems with the design and implementation of Autodiscover.
The problem is related to a “back-off” procedure. When Autodiscover is used to configure a client, the client attempts to build a URL based on the email address provided by the user. The URL looks something like this: https://Autodiscover.example.com/Autodiscover/Autodiscover.xml or https://example.com/Autodiscover/Autodiscover.xml.
However, if none of the URLs respond, the back-off mechanism kicks in and attempts to contact a URL that has the following format: http://Autodiscover.com/Autodiscover/Autodiscover.xml.
“This means that whoever owns Autodiscover.com will receive all of the requests that cannot reach the original domain,” Guardicore explained.
The company registered nearly a dozen Autodiscover domains (e.g. Autodiscover.com.cn, Autodiscover.es, Autodiscover.in, Autodiscover.uk) and assigned them to a web server under its control.
Between April 16, 2021, and August 25, 2021, their server captured more than 370,000 Windows domain credentials and over 96,000 unique credentials leaked from applications such as Outlook and mobile email clients.
The credentials came from publicly traded companies, food manufacturers, power plants, investment banks, shipping and logistics firms, real estate companies, and fashion and jewelry companies.
“This is a severe security issue, since if an attacker can control such domains or has the ability to ‘sniff’ traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire. Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically syphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs,” Guardicore said.
The researchers have also devised an attack that can be used to downgrade a client’s authentication scheme, enabling an attacker to obtain credentials in clear text. The client will initially attempt to use a secure authentication scheme, such as NTLM or OAuth, which protect credentials against snooping, but the attack causes authentication to be downgraded to HTTP Basic authentication, where credentials are sent in clear text.
Guardicore noted that data leakage occurs due to how the protocol is implemented by application developers. They can prevent it from constructing URLs that can be abused by attackers.
Related: Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw Exposure
Related: Enterprises Warned of New PetitPotam Attack Exposing Windows Domains

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
Latest News
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- UK Car Retailer Arnold Clark Hit by Ransomware
- Dealing With the Carcinization of Security
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023 | Regulations
