Cybersecurity researchers have been able to capture hundreds of thousands of Windows domain and application credentials due to the design and implementation of the Autodiscover protocol used by Microsoft Exchange.
According to Microsoft, the Exchange Autodiscover service “provides an easy way for your client application to configure itself with minimal user input.” This allows users to, for example, configure their Outlook client by only needing to provide their username and password.
Back in 2017, researchers warned that implementation issues related to Autodiscover on mobile email clients could cause information leakage, and the vulnerabilities disclosed at the time were patched. However, an analysis conducted by cloud and data center security company Guardicore earlier this year showed that there are still some serious problems with the design and implementation of Autodiscover.
The problem is related to a “back-off” procedure. When Autodiscover is used to configure a client, the client attempts to build a URL based on the email address provided by the user. The URL looks something like this: https://Autodiscover.example.com/Autodiscover/Autodiscover.xml or https://example.com/Autodiscover/Autodiscover.xml.
However, if none of the URLs respond, the back-off mechanism kicks in and attempts to contact a URL that has the following format: http://Autodiscover.com/Autodiscover/Autodiscover.xml.
“This means that whoever owns Autodiscover.com will receive all of the requests that cannot reach the original domain,” Guardicore explained.
The company registered nearly a dozen Autodiscover domains (e.g. Autodiscover.com.cn, Autodiscover.es, Autodiscover.in, Autodiscover.uk) and assigned them to a web server under its control.
Between April 16, 2021, and August 25, 2021, their server captured more than 370,000 Windows domain credentials and over 96,000 unique credentials leaked from applications such as Outlook and mobile email clients.
The credentials came from publicly traded companies, food manufacturers, power plants, investment banks, shipping and logistics firms, real estate companies, and fashion and jewelry companies.
“This is a severe security issue, since if an attacker can control such domains or has the ability to ‘sniff’ traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire. Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically syphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs,” Guardicore said.
The researchers have also devised an attack that can be used to downgrade a client’s authentication scheme, enabling an attacker to obtain credentials in clear text. The client will initially attempt to use a secure authentication scheme, such as NTLM or OAuth, which protect credentials against snooping, but the attack causes authentication to be downgraded to HTTP Basic authentication, where credentials are sent in clear text.
Guardicore noted that data leakage occurs due to how the protocol is implemented by application developers. They can prevent it from constructing URLs that can be abused by attackers.
Related: Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw Exposure
Related: Enterprises Warned of New PetitPotam Attack Exposing Windows Domains

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
Latest News
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
