Breach, Content, Content

Microsoft Exchange Autodiscover Flaw: How Hackers Can Exploit It


Cybercriminals can exploit a design flaw in the Microsoft Exchange Autodiscover protocol to "leak" web requests outside of an end-user's domains, according to the cybersecurity research team at network segmentation solutions provider Guardicore. Autodiscover is a protocol used by Exchange for automatic configuration of Microsoft Outlook and other clients.

The Autodiscover flaw enables cybercriminals to control user domains or "sniff" traffic in the same network and capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire, Guardicore said. It also allows hackers with DNS-poisoning capabilities to syphon leaky passwords.

Analyzing the Exchange Autodiscover Flaw

Guardicore acquired multiple Autodiscover domains with a TLD suffix and set them up to reach a web server, the company said. It then detected a leak of Windows domain credentials that reached its server.

In total, Guardicore captured 372,072 Windows domain credentials due to the Autodiscover flaw, the company indicated. Guardicore also obtained 96,671 unique credentials that leaked from mobile email clients and other applications interfacing with the Exchange server.

How to Avoid an Autodiscover Leak: To mitigate the Autodiscover design flaw, users can block Autodiscover domains in their firewalls, Guardicore stated. In addition, they can leverage HTTP basic authentication and verify that support for basic authentication is disabled when they deploy or configure Exchange setups.

Meanwhile, software developers and vendors should verify that they are implementing Autodiscover in their products and not letting them "fail upwards," Guardicore indicated. This ensures that software developers and vendors should avoid developing domains such as "Autodiscover" with a "back-off" algorithm.

Microsoft Exchange Security Challenges

This is the latest in a growing list of Microsoft Exchange-related security issues that MSSPs and MSPs have had to mitigate for customers.

For instance, hackers have repeatedly exploited ProxyShell vulnerabilities known as CVE-2021-34473CVE-2021-34523, and CVE-2021-31207, according to a CISA (Cybersecurity and Infrastructure Security Agency) alert.

Also, the United States and several allies in July 2021 blamed hackers associated with China’s government for various Microsoft Exchange Server cyberattacks and email hack. The hack, first reported in Q1 of 2021, impacted thousands of on-premises email customers, small businesses, enterprises and government organizations worldwide.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.