Microsoft Exchange Autodiscover exposing credentials

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

12:20pm, 24 September 2021

TLP Rating: Clear

Microsoft Exchange Autodiscover exposing credentials

Implementations of Microsoft Exchange’s Autodiscover protocol are leaking credentials to external domains. 

This means that if a client tries to authenticate to the Microsoft Exchange server and is unsuccessful, a “back-off” procedure in some mail clients will attempt to create additional URLs to authenticate to. 

For example, if the client attempts to authenticate using the expected URLs and is unsuccessful, the Autodiscover protocol will try to authenticate to other Top Level Domains derived from the email address.

Hence, example@cert.govt.nz will attempt to authenticate to:

  • https://autodiscover.govt.nz/autodiscover/autodiscover.xml
  • http://autodiscover.govt.nz/autodiscover/autodiscover.xml
  • https://autodiscover.nz/autodiscover/autodiscover.xml
  • http://autodiscover.nz/autodiscover/autodiscover.xml

This procedure may cause the client to attempt to authenticate to a domain not owned by the organisation. This means that whoever owns the domain can collect the credentials sent to it.

What's happening

Systems affected

Mail clients incorrectly implementing Microsoft Exchange’s Autodiscover protocol, such as Microsoft Outlook.

What to look for

How to tell if you're affected

If your mail client implements the “back-off” procedure in Microsoft Exchange’s Autodiscover protocol.

What to do

Mitigation

Firewall off access to the domains: autodiscover. [TLD/ccTLD]

A full list created by guardicore can be found here External Link

For example, the mail domain <domain>.co.nz will need to block traffic to both autodiscover.co.nz and autodiscover.nz, while the mail domain <domain>.nz will need to block traffic to autodiscover.nz.

Disable basic authentication where possible.

After firewalling the domains we would recommend you change your domain account passwords.

More information

Guardicore full list on GitHub External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384