A serious Microsoft Exchange security flaw is going unaddressed

Bad Bots
(Image credit: Gonin / Shutterstock)

A design flaw in an integral feature of the Microsoft Exchange email server can be abused to harvest Windows domain and app credentials, according to cybersecurity researchers..

Sharing details about the bug in a blog post, Guardicore researchers note that the issue exists in the Microsoft Autodiscover protocol, which helps email clients discover Exchange email servers in order to receive proper configurations. 

“[Autodiscover] has a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside of the user’s domain but in the same TLD (i.e. Autodiscover.com),” shares Amit Serper, AVP of Security Research at Guardicore, adding that such a move could help attackers extract credentials from the leaky Autodiscover requests.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

To test this behavior, Guardicore Labs acquired multiple Autodiscover domains with a TLD suffix and set them up to reach a web server under their control, and the results were surprising.

Severe security issue

In a little over four months, Guardicore managed to capture 96,671 unique credentials that leaked from various applications including Microsoft Outlook, mobile email clients and other applications, as they attempted to interface with Microsoft’s Exchange server.

Serper refers to this behavior as a “severe security issue” since it could enable an attacker with large-scale DNS-poisoning capabilities, such as state-sponsored actors, to syphon passwords by launching a large-scale DNS poisoning campaign based on the Autodiscover TLDs.

Moreover, although all the collected credentials came via unencrypted HTTP basic authentication connections, Serper shares details of an attack, which can even help them capture from more secure forms of authentication such as OAuth.

In an email statement to The Record, Microsoft acknowledged that it is investigating Guardicore’s findings, adding however that the security company didn’t report it to Microsoft before sharing the details in public.

Via The Record

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
Flag of the People&#039;s Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
Outlook
Dangerous Microsoft Outlook flaw could let hackers send out malware via email
A person at a laptop with a cybersecure lock symbol floating above it.
A worrying security flaw could have left Microsoft SharePoint users open to attack
A phone sitting on a laptop keyboard with the Microsoft Outlook logo on the screen.
US government warns users to patch this critical Microsoft Outlook bug
the YouTube logo on a screen in front of other YouTube logos covering a black background
Worrying YouTube security flaw exposed billions of user emails
Shadowed hands on a digital background reaching for a login prompt.
A flaw in Google OAuth system is exposing millions of users via abandoned accounts
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does