Connect with us

Hi, what are you looking for?



Hundreds of Thousands of Credentials Leaked Due to Microsoft Exchange Protocol Flaw

Cybersecurity researchers have been able to capture hundreds of thousands of Windows domain and application credentials due to the design and implementation of the Autodiscover protocol used by Microsoft Exchange.

Cybersecurity researchers have been able to capture hundreds of thousands of Windows domain and application credentials due to the design and implementation of the Autodiscover protocol used by Microsoft Exchange.

According to Microsoft, the Exchange Autodiscover service “provides an easy way for your client application to configure itself with minimal user input.” This allows users to, for example, configure their Outlook client by only needing to provide their username and password.

Back in 2017, researchers warned that implementation issues related to Autodiscover on mobile email clients could cause information leakage, and the vulnerabilities disclosed at the time were patched. However, an analysis conducted by cloud and data center security company Guardicore earlier this year showed that there are still some serious problems with the design and implementation of Autodiscover.

The problem is related to a “back-off” procedure. When Autodiscover is used to configure a client, the client attempts to build a URL based on the email address provided by the user. The URL looks something like this: or

However, if none of the URLs respond, the back-off mechanism kicks in and attempts to contact a URL that has the following format:

“This means that whoever owns will receive all of the requests that cannot reach the original domain,” Guardicore explained.

The company registered nearly a dozen Autodiscover domains (e.g.,,, and assigned them to a web server under its control.

Advertisement. Scroll to continue reading.

Between April 16, 2021, and August 25, 2021, their server captured more than 370,000 Windows domain credentials and over 96,000 unique credentials leaked from applications such as Outlook and mobile email clients.

The credentials came from publicly traded companies, food manufacturers, power plants, investment banks, shipping and logistics firms, real estate companies, and fashion and jewelry companies.

“This is a severe security issue, since if an attacker can control such domains or has the ability to ‘sniff’ traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire. Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically syphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs,” Guardicore said.

The researchers have also devised an attack that can be used to downgrade a client’s authentication scheme, enabling an attacker to obtain credentials in clear text. The client will initially attempt to use a secure authentication scheme, such as NTLM or OAuth, which protect credentials against snooping, but the attack causes authentication to be downgraded to HTTP Basic authentication, where credentials are sent in clear text.

Guardicore noted that data leakage occurs due to how the protocol is implemented by application developers. They can prevent it from constructing URLs that can be abused by attackers.

Related: Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw Exposure

Related: Enterprises Warned of New PetitPotam Attack Exposing Windows Domains

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.