Researchers looked at a “design flaw” in the Microsoft Autodiscover protocol and discovered that they could capture domain credentials.
Autodiscover is a protocol used by Microsoft Exchange for automatic configuration of clients such as Microsoft Outlook.
Amit Serper, AVP of Security Research at Guardicore Labs, revealed the findings of an investigation into Autodiscover, a technique used to authenticate to Microsoft Exchange servers and configure client access.
There are several versions of the protocol to choose from. Guardicore investigated a POX XML-based Autodiscover implementation and discovered a “design flaw” that could be used to ‘leak’ web requests to Autodiscover domains not in the same top-level domain as the user’s domain, as long as they shared a top-level domain (TLD).
To test the protocol, the team initially registered and acquired various TLD-based domains, such as Autodiscover.com.br, Autodiscover.com.uk, Autodiscover.com.fr, and Autodiscover.com.cn.
The researchers say they “were just waiting for HTTP requests for different Autodiscover endpoints to come” after assigning these domains to a Guardicore web server.
Between April 16 and August 25, 2021, Guardicore gathered 372,072 Windows domain credentials and 96,671 distinct sets of credentials from sources such as Microsoft Outlook and email clients. Some of the sets were sent with simple HTTP authentication.
There were Chinese enterprises, food producers, electricity companies, shipping and transportation companies, and more. The odd thing about many requests received was that the client didn’t even try to see if the resource was available or existed on the server before submitting an authenticated request:
“The interesting issue with a large amount of the requests that we received was that there was no attempt on the client’s side to check if the resource is available or even exists on the server before sending an authenticated request,” the team explained.
Guardicore also developed an attack technique based on an attacker owning important TLD domains downgrading alternative authentication methods such as OAuth credentials and NTLM to HTTP basic authentication.
“The protocol issue isn’t new; we were just able to attack it on a huge scale,” Serper explained.
However, the latest updates from Microsoft are still awaited.