Microsoft tries to register autodiscover domains

Sicherheit (Pexels, allgemeine Nutzung)[German]After a design error in the Autodiscover protocol used by Microsoft Exchange became public, Microsoft is now rushing to register all Autodiscover domains. This is because clients may leak access data from Exchange accounts to such Autodiscover domains via the Autodiscover protocol, if the actual domain is not accessible. Here is some information about the issue.


The Autodiscover problem

Autodiscover is a protocol used by Microsoft Exchange to automatically configure the email accounts used by clients such as Microsoft Outlook. The goal of the protocol is to allow an end user to fully configure their Outlook client by simply providing their username (the email address) and password and leaving the rest of the configuration to Microsoft Exchange's Autodiscover protocol.

Security researchers at Guardicore have come across a design flaw in the autodiscover protocol used by Microsoft Exchange that allows attackers to use external autodiscover domains to grab domain credentials. The problem is that when clients create an account, they send a ping with the credentials (username, password, domain) to different addresses.

Usually, the domain being pinged is the one under which the Exchange server is running. This is derived from the email address for the Exchange account. If none of these URLs responds, autodiscover starts its "back-off" procedure and tries a ping on addresses that match the scheme:

http: // autodiscover.<tld>/Autodiscover/Autodiscover.xml.

are formed. For an email address <name>@<domain>.de, autodiscover[.]de would then be requested at some point. Whoever owns that domain could intercept client pings and check for account credentials. Security researchers at Guardicare registered a number of autodiscover TLD domains based on these findings. Amit Serper from security provider Guardicore had published his findings in the blog post Autodiscovering the Great Leak. There you can also find hints on what could be done (but the possibilities are limited, since it affects the clients).


Autodiscover-Abfragen an Honeypot
Autodiscover queries to Honeypot, source: Guardicore.

From April 16 to August 25, 2021, security researchers using their Autodiscover honeypot received hundreds of queries with thousands of users' credentials (see image above). Their clients tried to set up an Exchange account, but could not find the correct Autodiscover endpoint of the Exchange mailbox. If Basic authentication was used, the clients sent the credentials in clear text with every ping. Companies and organizations from different sectors were affected. I had addressed the issue in the blog post Microsoft Exchange autodiscover design flaw leaks credentials to third party instances.

Microsoft registers autodiscover domains

Bleeping Computer reports now, that Microsoft has hurriedly started to register domains with the scheme autodiscover.[TLD] because they could leak Windows credentials.

Microsoft register autodiscover domains

Within this article Bleeping Computer cites Microsoft,  that it was actively investigating the facts that Guardicore had disclosed and was planning measures to minimize the threat. This includes taking over the domains in question. According to the above tweet, so far 68 of these domains are now owned by Microsoft, while this could not be verified for 38 domains (the owners are not named in a WhoIs query for privacy reasons). The list of domains can be found in the Bleeping Computer article.

The Microsoft action will indeed reduce the possibility of abuse. However, the (mail) clients that are implemented incorrectly and send the credentials unencrypted during account configuration are a problem. Bleeping Computer also lists Microsoft email clients like Microsoft Outlook and Office 365 – but the bigger problem might be third-party clients.

Similar articles:
Security updates for Exchange Server (July 2021)
Cumulative Exchange CUs June 2021 released
Exchange Server Security Update KB5001779 (April 13, 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange security updates from July 2021 breaks ECP and OWA
Exchange 2016/2019: Outlook problems due to AMSI integration
Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Exchange Server: Authentication bypass with ProxyToken
Exchange vulnerabilities: Will we see Hafnium II?
Microsoft Exchange autodiscover design flaw leaks credentials to third party instances

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *