Microsoft Exchange servers autodiscover function, is not secure! A systems administrator who incorrectly sets up their on-premise Autodiscover record could be assisting miscreants to slurp up credentials from an organisations users trying to connect to their corporate email account.
Or worse and equally possible, an end user having trouble connecting to their Exchange server will also inadvertently forward their credentials to the same Autodiscover DNS record, where the email and password can be gathered.
A security researcher from Guardicore, Amit Serper (which is reported to be a billion dollar unicorn for network segmentation) has discovered that by purchasing the Autodiscover domains in various countries, he has been able to collect email address and password data. In fact over 96,000 credentials in around 4 months from a handful of Autodiscover domains that Guardicore has purchased to confirm this vulnerability.
This problem occurs because the Autodiscover feature, being as helpful as it is, doesn’t just stop at querying your domain for the Autdiscover information needed to authenticate the user to their email, Microsoft Outlook will start querying “upstream” hardcoded MS Exchange DNS records; Autodiscover.contoso.com and then Autodiscover.com or Autodiscover.com.au etc vigorously trying to help but sharing the users typed in User name and Password information with any Webserver that is listening at the Autodiscover.com (or whatever) domain.
Three major flaws contribute to the overall vulnerability: the Autodiscover protocol’s “backoff and escalate” behavior when authentication fails, its failure to validate Autodiscover servers prior to giving up user credentials, and its willingness to use insecure mechanisms such as HTTP Basic in the first place.https://arstechnica.com/author/jimsalter/
Mitigating the issue is not so straight forward though:
If you’re a network administrator, you can mitigate the issue by refusing DNS requests for Autodiscover domains—if every request to resolve a domain beginning in “Autodiscover” is blocked, the Autodiscover protocol won’t be able to leak credentials. Even then, you must be careful: you might be tempted to “block” such requests by returning
127.0.0.1, but this might allow a clever user to discover someone else’s email and/or Active Directory credentials, if they can trick the target into logging into the user’s PC.
Read below for much more detail on this vulnerability, Microsoft is aware of it now and should have a mitigation in place soon.
My original source: