Guardicore Team has uncovered a design-level flaw in Microsoft Exchange Autodiscover, which could result in the leak of millions of usernames and passwords across the globe.

In the report, Guardicore Team said that it acquired multiple Autodiscover domains with a TLD suffix, and they have set them up to reach a web server that they control. They also added that they had detected a massive leak of Windows domain credentials that reached their server. According to the report, they have captured 372,072 Windows domain credentials in total. Out of which, 96,671 were unique credentials captured from the applications connected to the Microsoft Exchange, such as Microsoft Outlook, mobile email clients, and other applications from April 16th, 2021 to August 25th, 2021. These numbers are really terrific. The flaw can cause massive damage to the business. It is highly important to address this issue. Let’s see how to fix the Microsoft Exchange Autodiscover flaw.

What is Microsoft Exchange Autodiscover?

Normally, users will have to configure multiple settings to configure a mail client such as Microsoft Outlook, ActiveSync, and mobile email clients. Users may need this information to configure their email clients:

• Username and password.
• The IP addresses or hostname of the Exchange server.
• In some cases, additional settings such as Miscellaneous LDAP settings, WebDAV calendars, etc, are required to configure mail clients.

Microsoft Exchange Autodiscover assists users in configuring their email clients with Exchange Servers. Technically, the autodiscover is a protocol used by Microsoft Exchange for the automatic configuration of clients. You can learn more information about the autodiscover from Microsoft’s website.

How Does Microsoft Exchange Autodiscover Work?

1. For the first time, when a user adds his account on his Outlook. Outlook will display a prompt to the user to supply his user name and password.
2. After the user fills all the required details, In the background, Outlook will then parses the email address supplied by the user and then builds an autodiscover URL in the below format based on the email address of the user.

• https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
• http://Autodiscover.example.com/Autodiscover/Autodiscover.xml
• https://example.com/Autodiscover/Autodiscover.xml
• http://example.com/Autodiscover/Autodiscover.xml

3. Then Outlook sends the URLs to the autodiscover and configure the user account on Outlook.

How Attackers Exploit Microsoft Exchange Autodiscover Flaw to Capture User Credentials?

To know where the flaw exists in autodiscover, let’s continue with the previous process. Let’s presume non of the URLs are responding. Autodiscover will start its “back-off” algorithm. Actual flaws exist in the back-of algorithm.

1. When autodiscover see no response from any of the URLs, its back-off algorithm always keep try resolving the the ‘Autodiscover’ portion of the domain.
2. When the request fails, autodiscover sends the subsequent request to http://Autodiscover.com/Autodiscover/Autodiscover.xml.This means all the requests will go to Autodiscover.com instead of the original domain. Click here if you want to know more information about the autodiscover.
3. The Attacker will make use of this flaw to capture the information sent by Outlook. The Attacker will set up a web server with the domain ‘Autodiscover.com‘ and start receiving web requests from various Autodiscover endpoints.
4. The most concerning about the request is, the request will have the relative path of /Autodiscover/Autodiscover.xml with the Authorization header and credentials in HTTP basic authentication.
5. The server will respond to the client with an HTTP 401 response.
6. Upon receiving the HTTP 401 response from the server, the client will downgrade, telling the server to use HTTP Basic Authentication.
7. The Victim will see a Certificate Invalid error dialog box, which could be fixed just by deploying any valid SSL certificate.
8. The Victim will see a legitimate authentication prompt after a secure session has been established with a valid certificate.
9. This is the critical and last step. When the Victim enters the credentials on the authentication prompt and sends, the Attacker’s web server will receive the credentials. The attacker can see the username and password in the server’s logs.

In this way, attackers can exploit Microsoft Exchange Autodiscover flaw and capture user authentication details. This is a high severity security issue. It can cause massive damage to the business. It is highly important to fix this flaw. Let’s read the coming section to see how to Fix The Microsoft Exchange Autodiscover Flaw.

What are the Implications of The Microsoft Exchange Autodiscover Flaw?

Implications are quite dangerous. By exploiting this flaw, attackers can:

1. Sniff the Exchange server’s, domain controller, or network traffic of the Victim from remote.
2. Capture user’s domain credentials in plain text over HTTP basic authentication.
3. Have DNS-poisoning capabilities on a large scale.

Who are the Victims of The Microsoft Exchange Autodiscover Flaw?

Any users who will use email clients like Outlook, ActiveSync, mobile email client, and any other client applications connect with Microsoft Exchange server. The users who connect Exchange server over the internet are more vulnerable to the attack.

How To Fix The Microsoft Exchange Autodiscover Flaw?

Looking at the implications, we can say that it is a critical flaw that should be fixed or mitigated to avert the damage. Let’s see how to fix The Microsoft Exchange Autodiscover flaw.

You can fix the Microsoft Exchange Autodiscover flaw in two different levels:

1. The user or the client who uses email clients over the public network.
2. Vendors who will implement the Autodiscover protocol in their mail client applications.

For User or Client:

1. On the client-side, this flaw can be mitigated by blocking Autodiscover domains in your firewall. Block all the below domains in your Firewall, Web Proxy, EndPoint solution, NIDS, HIDS, and where ever you have blocking controls.
   1. Autodiscover.com.br – Brazil
   2. Autodiscover.com.cn – China
   3. Autodiscover.com.co – Columbia
   4. Autodiscover.es – Spain
   5. Autodiscover.fr – France
   6. Autodiscover.in – India
   7. Autodiscover.it – Italy
   8. Autodiscover.sg – Singapore
   9. Autodiscover.uk – United Kingdom
   10. Autodiscover.xyz
   11. Autodiscover.online
2. We can mitigate the flaw just by disabling the HTTP basic authentication when setting up an exchange server. This will stop sending credentials in plain text over the wire.
3. Block the domains listed in the txt file on your network block controls: https://data.iana.org/TLD/tlds-alpha-by-domain.txt. 
4. The file has the list of all possible autodiscover.[tld] domain combinations. Just map loopback IP address 127.0.0.1 to all the domains listed in the txt file in the host file. Visit here for more information.
   1. Host file location in Windows: %windir%\System32\drivers\etc\hosts
   2. Host file location in Linux and macOS: /etc/hosts

For Vendors:

In the development or implementation phase, Design the ‘back-off algorithm of the product in such a way that it never constructs URLs with domains like ‘Autodiscover.’

Conclusion

In the post, we have covered most of the things which are required to know about the Autodiscover service. We have started the post from what is Autodiscover, then we have explained its working and the flaw with the ‘back-off’ algorithm. Then its implications, victims, and at last the most important how to fix the Microsoft Exchange Autodiscover flaw.

The information contained in this website is for general information purposes only. The information is gathered from TheSecMaster, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.