Outlook “Autodiscover” Leaking Passwords

28th September 2021 | Blog

Cybersecurity experts at Guardicore published a report summarizing its research results involving security concerns in Microsoft “Autodiscover” feature. Their report states they were able to collect over a 372,072 domain credentials and ~100k in unique passwords on their rogue Exchange Servers over a four-month period simply by registering “autodiscover.com” Top Level Domains (TLDs) such as autodiscover.com.br (Brazil) or autodiscover.com.uk (United Kingdom). User’s credentials were uploaded to Guardicore Exchange Servers by unsuspecting Outlook users all over the Internet due to an “autodiscover” flaw in this Microsoft utility.

How Does This Happen?

Microsoft’s Autodiscover feature, used by various parts of Windows including Outlook, simplifies setting up and connecting new accounts. Autodiscover was meant to help Microsoft Office users connect to Microsoft services. For example, if you want to connect Outlook on your laptop to “the Exchange server” that’s run by your IT department, you don’t need to know any technical specifications to be able to connect the two. Users enter their email address, tell the system you’re looking for an Exchange server, and Outlook goes out and ‘Autodiscovers’ the configuration details for them.

Research Findings

Researchers found when a user attempts to connect Microsoft tools, Autodiscover searches the Microsoft databases for the user’s domain in the background. When this happens, the connections carry login credentials with them; allowing the database to inspect the credentials for authentication. For example, the email ‘CyberAl@CyberHoot.com’ has a domain of ‘CyberHoot.com’, the tool would search the database for available connections with that domain. The problem is, if there was nothing to connect to with that domain, the system will start searching for ‘autodiscover.com‘, looking for any previous ‘AutoDiscover’ connections associated with the domain. Researchers found they could set up their own domains based on ‘autodiscover.com‘ and steal unsuspecting user credentials. Worse, the researchers found a way to downgrade these autodiscover connections to “HTTP Basic Authentication” which puts all credentials sent to them in “Plain Text“.

The Guardicore researchers registered a number of “AutoDiscover.com.[country code]” domains and set up listening web servers on all of them, including:

Autodiscover.com.br
Autodiscover.com.cn
Autodiscover.com.co
Autodiscover.es
Autodiscover.fr
Autodiscover.in
Autodiscover.it
Autodiscover.sg
Autodiscover.uk
Autodiscover.xyz
Autodiscover.online

Once these domains were set up, Guardicore collected unsolicited and unexpected autodiscover requests, consisting of authentication tokens or plaintext passwords that gave them access to the leaked accounts (the ones not on two-factor authentication that is)

So What Can I Do?

block external domains startING with the text `autodiscover` at your web filtering firewall

This will stop any app inside your network from connecting with malicious, external Autodiscover servers. You will need to add some legitimate cloud sites to your allowlist, for example, autodiscover.outlook.com if you use these services.

Always enable multi-factor authentication into Online Email Services

Multi-factor authentication protects your business from stolen passwords because hackers do not have your secondary authentication mechanisms such as a Text Message or authentication token. This would provide partial protection to these users who gave up their credentials in this flaw.

Disable Autodiscover protection using Group Policy

In the GPEDIT policy editor or from the Group Policy Management Console, go to User Configuration > Administrative Templates > Microsoft Outlook 2016 [amend by version] > Account Settings > Exchange. Click on Disable Autodiscover, choose [Enable] and turn on Exclude the query for the AutoDiscover domain. According to Microsoft, this means that “Outlook [will] not use the following URL: https://autodiscover.[DOMAIN]]/autodiscover/autodiscover.xml”.

The images below are for your reference to this security measure.

Additional SMB Recommendations

In addition to disabling AutoDiscover, its important to remember there are other ways to improve your cybersecurity hygiene. CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks: