September 23, 2021

Around 100,000 login names and passwords for Windows domains have been leaked by bugs.

This was due to the incorrect implementation of Microsoft Exchange’s Autodiscover feature, which resulted in Windows credentials being sent to untrusted third-party websites.

Microsoft Exchange uses an Autodiscover feature to automatically configure a user’s email client, such as Microsoft Outlook, using the company’s predefined email settings.

The issue starts when a client cannot successfully authenticate the Autodiscover URL to Microsoft Exchange Server. Microsoft would perform a “back-off” procedure by creating additional URLs.

It is therefore this faulty implementation of the Autodiscover protocol that causes mail clients to authenticate to untrusted domains.

In investigating the problem, Guardicore’s security research AVP, Amit Serper, has identified some methods that organizations and developers could utilize to mitigate these Microsoft Exchange Autodiscover leaks.

These include blocking all Autodiscover.[tld] domains of different organizations, firewall or DNS servers, so that their devices cannot connect to them.

Businesses are also urged to disable Basic authentication as it sends credentials in cleartext.

Software developers are advised to prevent their mail clients from failing upwards when building Autodiscover URLs to ensure they never connect to Autodiscover. [tld] domains.

For more information, read the original story in BleepingComputer.