Microsoft tries to register autodiscover domains

Sicherheit (Pexels, allgemeine Nutzung) [German]After a design error in the Autodiscover protocol used by Microsoft Exchange became public, Microsoft is now rushing to register all Autodiscover domains. This is because clients may leak access data from Exchange accounts to such Autodiscover domains via the Autodiscover protocol, if the actual domain is not accessible. Here is some information about the issue.

The Autodiscover problem

Autodiscover is a protocol used by Microsoft Exchange to automatically configure the email accounts used by clients such as Microsoft Outlook. The goal of the protocol is to allow an end user to fully configure their Outlook client by simply providing their username (the email address) and password and leaving the rest of the configuration to Microsoft Exchange's Autodiscover protocol.

Security researchers at Guardicore have come across a design flaw in the autodiscover protocol used by Microsoft Exchange that allows attackers to use external autodiscover domains to grab domain credentials. The problem is that when clients create an account, they send a ping with the credentials (username, password, domain) to different addresses.

Usually, the domain being pinged is the one under which the Exchange server is running. This is derived from the email address for the Exchange account. If none of these URLs responds, autodiscover starts its "back-off" procedure and tries a ping on addresses that match the scheme:

http: // autodiscover.<tld>/Autodiscover/Autodiscover.xml.

are formed. For an email address <name>@<domain>.de, autodiscover[.]de would then be requested at some point. Whoever owns that domain could intercept client pings and check for account credentials. Security researchers at Guardicare registered a number of autodiscover TLD domains based on these findings. Amit Serper from security provider Guardicore had published his findings in the blog post Autodiscovering the Great Leak. There you can also find hints on what could be done (but the possibilities are limited, since it affects the clients).

Autodiscover-Abfragen an Honeypot
Autodiscover queries to Honeypot, source: Guardicore.

From April 16 to August 25, 2021, security researchers using their Autodiscover honeypot received hundreds of queries with thousands of users' credentials (see image above). Their clients tried to set up an Exchange account, but could not find the correct Autodiscover endpoint of the Exchange mailbox. If Basic authentication was used, the clients sent the credentials in clear text with every ping. Companies and organizations from different sectors were affected. I had addressed the issue in the blog post Microsoft Exchange autodiscover design flaw leaks credentials to third party instances.

Microsoft registers autodiscover domains

Bleeping Computer reports now, that Microsoft has hurriedly started to register domains with the scheme autodiscover.[TLD] because they could leak Windows credentials.

Within this article Bleeping Computer cites Microsoft, that it was actively investigating the facts that Guardicore had disclosed and was planning measures to minimize the threat. This includes taking over the domains in question. According to the above tweet, so far 68 of these domains are now owned by Microsoft, while this could not be verified for 38 domains (the owners are not named in a WhoIs query for privacy reasons). The list of domains can be found in the Bleeping Computer article.

The Microsoft action will indeed reduce the possibility of abuse. However, the (mail) clients that are implemented incorrectly and send the credentials unencrypted during account configuration are a problem. Bleeping Computer also lists Microsoft email clients like Microsoft Outlook and Office 365 – but the bigger problem might be third-party clients.

Microsoft tries to register autodiscover domains

The Autodiscover problem

Microsoft registers autodiscover domains

Leave a Reply Cancel reply

Blogs

Links

Social networks

Awards

Sponsors

Recent Comments

Recent Comments

Meta