Vulnerabilities

Microsoft Autodiscover protocol leaking credentials: How it works

Lester Obbayi
April 12, 2022 by
Lester Obbayi

The Microsoft Exchange Autodiscover protocol is a protocol that has been around for years. But with recent claims that it might be leaking credentials to anyone who is listening to connections coming from it, researchers have decided to pay attention and dig much deeper into the operation of this protocol. 

Learn how to secure both your corporate environment and your personal computer, provided that you use Exchange-based clients such as Outlook, Calendar and the default Mail for Windows app.

Learn Vulnerability Management

Learn Vulnerability Management

Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.

What is the Microsoft Exchange Autodiscover Protocol?

According to a post by Microsoft, the Autodiscover protocol minimizes the effort needed for the configuration of clients by offering them Exchange features. When dealing with Exchange Web Services (EWS) clients, it is used to find the EWS URL. Autodiscover can also help clients perform configuration with other protocols. 

The Microsoft Exchange Autodiscover Protocol allows for the easy and quick configuration of Exchange Web Services (EWS) clients. This is made possible by Autodiscover, which performs two actions: first, it finds the EWS endpoint URL; second, it automatically configures clients using other protocols. 

How does the Microsoft Exchange Autodiscover Protocol work?

When first-time users set up their Exchange email clients, they must provide their email address and their password for this email address. The Autodiscover protocol then comes into play. It constructs a URL by using the domain part of the user's email address, then attempts to use this URL to automatically fetch the configuration settings of the user's Exchange server. 

For example, let's pick a hypothetical user named John Doe. Using an email address such as john.doe@example.com, Autodiscover attempts to find Autodiscover.xml, which contains the connection settings for the user's Exchange server. Autodiscover will therefore construct the following URLs:

  • https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
  • http://Autodiscover.example.com/Autodiscover/Autodiscover.xml
  • https://example.com/Autodiscover/Autodiscover.xml
  • http://example.com/Autodiscover/Autodiscover.xml

Autodiscover will attempt to connect to the URLs above to fetch Autodiscover.xml. However, if it fails to find this file, it attempts a "back-off" procedure. This procedure attempts to "fail-up," meaning, if any of the above URLs fail, it will construct the following URL:

  • http://Autodiscover.com/Autodiscover/Autodiscover.xml

This "back-off" procedure introduces the vulnerability. If you had control of Autodiscover.com, you would be able to receive requests with user credentials attempting to connect to Exchange servers. This was found to be especially true for clients using the POX XML protocol of Autodiscover. 

How can malicious actors abuse this flaw?

For an attacker to abuse this vulnerability, they need to control the parent domain Autodiscover.com. Security firm Guardicore discovered that by registering multiple domains, it was possible to receive requests made from different clients worldwide who were trying to connect to Exchange servers.

In the research paper released by Guardicore, Amit Serper discloses that Guardicore purchased Autodiscover domains with multiple top-level domains. These domains were connected to a Guardicore serve. Within the period between April 16, 2021, to August 25, 2021, Guardicore was able to obtain:

  • 372,072 Windows domain credentials and
  • 96,671 unique credentials leaked from various applications such as Microsoft Outlook, mobile email clients, and various other clients that interface with the Microsoft Exchange server

This exercise tests a hypothesis that was arrived at by analyzing how the Autodiscover protocol works — that the "back-off" procedure attempted to resolve the Autodiscover part of the domain Autodiscover.xx, where xx was any top-level domain. Guardicore, therefore, registered the following domains for this test:

Autodiscover.com.br – Brazil

Autodiscover.it – Italy

Autodiscover.sg – Singapore

Autodiscover.uk – United Kingdom

Autodiscover.xyz

Autodiscover.online

Autodiscover.cc

Autodiscover.studio

autodiscover.jp   

autodiscover.me Autodiscover.com.cn – China

Autodiscover.com.co – Columbia

Autodiscover.es – Spain

Autodiscover.fr – France

Autodiscover.in – India

autodiscover.capital

autodiscover.club

autodiscover.company

autodiscover.mx   

autodiscover.ventures

Guardicore discovered that the requests made to the domains they registered attempted to request the relative paths /Autodiscover/Autodiscover.xml. Inspecting the request showed that the Authorization header was supplied, complete with credentials in HTTP basic authentication. This means that an attacker who can intercept these requests can view the credentials that are being sent within the Autodiscover request. 

Guardicore discovered that the clients making these requests ranged from Outlook Mail and Calendar to the default Mail application in Windows. Some old Samsung phones and Outlook for Mac were also affected. 

Guardicore pointed out an interesting point of failure that was also discovered, the lack of resource verification. This means that the clients attempted to connect to the domains, even without verifying that the required resources existed in the first place, effectively exposing user credentials in basic authentication. An effective scenario would have been to first check to see whether the resource exists, then issue an HTTP 404 error code if it is absent or an HTTP 401 error code if the requested Autodiscover.xml was protected. 

How can affected parties mitigate this security flaw?  

The team at Guardicore advises two mitigations to prevent this attack. One mitigation applies to the general public using Exchange based technologies such as Outlook. The second applies to software developers or vendors that use the Autodiscover protocol within their products. The mitigation is discussed accordingly below:

1. Mitigation application to vendors

Vendors should ensure that their software products are not constructing the Autodiscover domains using the “back-off” algorithm since this is where the attack originates from. Doing this effectively defeats the vulnerability.

2. Mitigation application to the general public

If you are using applications or clients that implement Exchange Web Services, you should ensure that all the top-level domains are filtered appropriately within your firewall. You can, for example, ensure that the Autodiscover domains are being blocked in your environment by applying filters such as the following on your firewall:

  • Autodiscover/Autodiscover.com.cn 

You can find a complete list of Autodiscover domains created by Guardicore that you can use to build a good filter or denylist on your firewall (or hosts file). 

You should also disable HTTP basic authentication since this form of authentication is insecure and is similar to transmitting your credentials in cleartext. Disabling this prevents man-in-the-middle attacks that would lead to sniffing your credentials and exposing them to attackers. 

Learn Vulnerability Management

Learn Vulnerability Management

Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.

Understanding the Autodiscover protocol

This article has explored the Autodiscover protocol and how it can be used to expose user credentials on the internet. Using the "back-off" algorithm, we have explored how this vulnerability arises, using the “back-off” algorithm, and how credentials can be transmitted using the HTTP basic authentication and read in cleartext. This vulnerability is simple but crucial since it can aid attackers in performing credentialled attacks against unsuspecting individuals and organizations. Therefore, it is important to ensure that you apply the recommended fixes to ensure that you do not expose yourself and your organization. 

 

Sources:

Lester Obbayi
Lester Obbayi

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.