Microsoft Exchange leaks credentials without authenticating users

Get a free Techzine subscription!

The Microsoft Exchange email server has been found to leak credentials to unauthenticated users. It was found and detailed by Guardicore. The issue relates to the Microsoft Autodiscover protocol.

The protocol is a feature in Exchange email servers, designed to make the configuration of clients such as Outlook easy. The feature allows an end-user to completely configure their Outlook client by providing a user name and password while leaving the rest of the configuration to the protocol. That is where the problem begins.

The problem

The automatic configurations rely on email clients to ping a series of URLs. If the clients don’t get a response from the URLs, they try a ‘back-off’ algorithm that uses Autodiscover, with a top-level domain name. Serper registered some domain names with the name Autodiscover in them and then ran a honeypot server to see what would happen.

Between April and August, the honeypots experienced hundreds of requests a day with thousands of credentials from users attempting to set up email clients. The problem was that many of the requests received did not trigger the client to check if the resource is available or even exists, before sending an authenticated request.

What the tests found

When Serper was done testing, Guardicore had managed to capture over 372,000 Windows domain credentials and over 96,000 unique credentials for apps like Outlook. The credentials range from power producers, food companies, shippers, logistics companies, and more. The point here is that if a malicious actor had been involved, the resulting fallout may have been catastrophic.

Microsoft said that even though it is committed to coordinated vulnerability exposure, it was unaware of these issues before it went public. The company has been struggling with security recently, with this report not helping matters. Our advice is to patch up as soon as an update is available.

Tip: Four new vulnerabilities in Microsoft Azure agent