Security Market Segment LS
Thursday, 23 September 2021 11:51

Microsoft Exchange leaking user credentials due to protocol defect Featured

Microsoft Exchange leaking user credentials due to protocol defect Image by analogicus from Pixabay

A protocol used by Microsoft Exchange, the popular email server software used by both individuals and businesses, has been found to be leaking credentials of users, who attempt to authenticate from clients like Microsoft Outlook, due to a defect in its design.

Research released by security outfit Guardicore on Wednesday US time, said the flaw, in an implementation of the Autodiscover protocol based on the POX XML protocol, would leak Web requests to Autodiscover domains outside a user's domain, but within the same top-level domain.

The Autodiscover protocol allows users of mail clients like Outlook to authenticate to a server after inputting a username and password; the remainder of the credentials needed for authentication would be supplied by the Exchange server.

But, as Guardicore's Amit Serper found, Windows domain credentials could be easily captured, something he achieved by setting up multiple Autodiscover domains with a TLD suffix that connected to a Web server controlled by Guardicore.

Between 16 April and 25 August, Serper said 372,072 Windows domain credentials were harvested, in addition to 96,671 unique credentials that leaked from Outlook, mobile email clients and other applications that interfaced with the Exchange server.

"This is a severe security issue, since if an attacker can control such domains or has the ability to 'sniff' traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire," he wrote.

"Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically siphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs."

He said since Exchange was part of Microsoft's domain suite of solution, the credentials that were needed to access the mail server were generally the domain credentials.

"The implications of a domain credential leak in such scale are massive, and can put organisations in peril. Especially in today’s ransomware-attacks ravaged world, the easiest way for an attacker to gain entry into an organisation is to use legitimate and valid credentials," Serper pointed out.

Four years ago, researchers from Share Security shared details of how Autodiscover implementations for mobile email clients could cause such leaks.

The flaws that were disclosed were patched, but "here we are in 2021 with a significantly larger threat landscape, dealing with the exact same problem only with more third-party applications outside of email clients", Serper noted.

He explained the process of authentication that occurred behind the scenes, by using a hypothetical email address: amit @

  • First, the email client would parse this address.
  • Then, the client would try to build an Autodiscover URL based on the email address with the following format:
  • https: //
  • http: //
  • https: //
  • http: //

"In the case that none of these URLs are responding, Autodiscover will start its 'back-off' procedure," Serper explained. "This 'back-off' mechanism is the culprit of this leak because it is always trying to resolve the Autodiscover portion of the domain and it will always try to 'fail up', so to speak.

"Meaning, the result of the next attempt to build an Autodiscover URL would be: https:// This means that whoever owns will receive all of the requests that cannot reach the original domain."

To test out his findings, Serper registered the following domains:

  • – Brazil
  • – China
  • – Columbia
  • – Spain
  • – France
  • – India
  • – Italy
  • – Singapore
  • – United Kingdom

All these domains were allocated to a Web server owned by Guardicore and soon torrents of Web requests started to arrive.

"The most notable thing about these requests was that they requested the relative path of /Autodiscover/Autodiscover.xml with the Authorisation header already populated with credentials in HTTP basic authentication," Serper noted.

"Generally, Web requests should not be sent blindly pre-authenticated, but rather by following the HTTP authentication process:

  • "A client requests access to a protected resource;
  • "The Web server returns a dialog box that requests the username and password (in accordance with the supported authentication methods; in our case, basic authentication);
  • "The client submits the username and password to the server; [and]
  • "The server authenticates the user and returns the requested resource."

He said that with the majority of requests received on the Web server, there was no attempt from the client side to check if the resource was available or even existed on the server.

"Usually, the way to implement such a scenario would be to first check if the resource that the client is requesting is valid, since it could be non-existent (which will trigger an HTTP 404 error) or it may be password-protected (which will trigger an HTTP 401 error code)," Serper pointed out.

Comment has been sought from Microsoft.

Subscribe to ITWIRE UPDATE Newsletter here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News