[German]I'm posting a curious reader observation here in the blog. It's about the auto-discovery of e-mail recipients in Outlook via the auto-discovery service in Microsoft Exchange. One reader noticed a crude problem in this context. Someone seems to have registered a subdomain that ends with .de.de and has been configured for autodiscover requests. The question arises as to why this approach was chosen – and whether a reader has a logical explanation. It certainly smells like cyber fraud to me.
Advertising
Auto-discovery from Outlook to Exchange
Microsoft Exchange provides an auto-discovery service for clients such as Outlook, which provides access to Exchange functions and minimizes the steps required for user configuration and provisioning. Microsoft describes the feature in the document Autodiscover service in Exchange Server (related to Exchange Server 2019).
According to Microsoft, AutoDiscovery can be used to easily retrieve all the information required to connect to mailboxes on Exchange servers. The AutoDiscovery service is also available for Outlook. Outlook therefore only requires user credentials to authenticate with Active Directory and search for the AutoDiscovery SCP objects. The details are described in the linked Microsoft article.
A strange reader observation
German blog reader Horst S. contacted me at the beginning of the month because he had encountered a very strange problem with a customer. This customer had set up an Exchange server (locally in its own AD domain) with a connection to an existing domain with a provider.
The existing domain hosts the customer's website and is also used to provide e-mail addresses (@domain.de). Horst wrote to me that in this constellation, a subdomain is usually set up there that is configured for autodiscover requests (with reference to the customer's own local Exchange server).
There is suddenly a second (foreign) domain
In the present constellation at the customer's site, he suddenly came across the fact that a third party has a domain in operation that exactly reproduces the autodiscover subdomain of a third party (in this case the customer in question or his domain). The only subtle difference is that there is a second .de at the end of this third-party domain (i.e. the pattern autodiscover.domainname.de.de is used – other tld patterns like autodiscover.domainname.com.com are also possible).
Advertising
Noticed by certificate warnings
The reader noticed this discrepancy because certificate warnings suddenly appeared in the environment in question when Outlook was started (see following image). The auto-discovery (Autodiscover) probably "fell" over this URL and tried to establish a connection to the third-party domain.
The certificate itself has been expired for years (2012), was not issued for the domain and comes from a company that is not considered trustworthy. At this point, every administrator's alarm bells are ringing and the question arises as to what is behind this approach. For me, the following picture emerges: If someone clicks on the Yes button there, the AutoDiscover entries of the fake domain would be retrieved by Outlook or other mail clients.
What countermeasures have been taken?
The problem with the fake domain has currently been solved by blocking this address in the upstream firewall and blacklisting the certificate. To blacklist the certificate, it was imported into Windows and added to the list of blocked certificates in the certificate store, the reader told me.
IP address of the fake domain in Luxembourg
He then did some more research and wrote that the IP address found for the domain in question comes from a "data center" in Luxembourg. How or where the domain (.de.de) was registered is beyond the reader's knowledge and he was not aware of this possibility. The reader called the registrar DENIC and learned that this .de.de domain is not registered there.
What is behind this?
At this point, the question arises as to why someone would do such a thing. And what would happen if, for example, there was an accepted certificate or clients without a certificate check (Android etc.) were to access this domain via AutoDiscover? Can anyone from the readership make sense of this?
I've reported the case to German Cert-Bund and asked for a statement. But till now I haven't had an answer. Also other readers are trying to send take down notices to the Luxembourg registrar.
Advertising
