Microsoft Exchange Bug leaked thousands of Users Domain Credentials

The flaw is in the protocol of the Microsoft Autodiscover feature of Microsoft Exchange mail servers.

Cybersecurity researchers at Guardicore have discovered a bug in the Microsoft Exchange mail server. The issue has resulted in the leaking of domain credentials and Windows applications around the world.

The problem lies in the protocol of the Microsoft Autodiscover feature of Microsoft Exchange mail servers, which allows mail clients to automatically discover mail servers, provide credentials, and then obtain the correct configurations. The protocol is an important part of mail servers as it allows administrators to easily verify that clients are using the correct parameters for SMTP, IMAP, LDAP, WebDAV, and more.

But in order to get automatic settings, email clients usually check against a series of predefined URLs obtained from the domain of the user's email address.

According to experts, the autodiscover mechanism uses a "rollback" procedure in case it does not find the Autodiscover endpoint of the Microsoft Exchange server on the first try. This "rollback" mechanism is the culprit in the data leak because it always tries to resolve a portion of the Autodiscover domain and will always try to "fail". The next attempt to generate the Autodiscover URL will result in: autodiscover.com/autodiscover/autodiscover [.] xml. This means that the owner of autodiscover [.] Com will receive all requests that cannot reach the original domain.

The specialists registered a series of top-level domains based on Autodiscover, which were still available on the Internet around the world. Between April 16, 2021 and August 25, 2021, these servers received hundreds of requests with thousands of credentials from users who tried to configure their email clients, but the email clients were unable to find a suitable Autodiscover endpoint.

The problem with a lot of requests was that there was no attempt on the client-side to check if the resource was available or even if it existed on the server before sending an authenticated request.

In total, Guardicore received 372,072 credentials for Windows domains and 96,671 unique login/password from various applications such as Microsoft Outlook. The credentials belonged to food manufacturers, investment banks, power plants, real estate companies, logistics companies, as well as public companies in the Chinese market.