A serious Microsoft Exchange security flaw is going unaddressed

Microsoft says it is investigating claims

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A design flaw in an integral feature of theMicrosoft Exchangeemail server can be abused to harvest Windows domain and app credentials, according tocybersecurityresearchers..

Sharing details about the bug in a blog post,Guardicoreresearchers note that the issue exists in theMicrosoftAutodiscover protocol, which helps email clients discover Exchangeemailservers in order to receive proper configurations.

“[Autodiscover] has a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside of the user’s domain but in the same TLD (i.e. Autodiscover.com),”sharesAmit Serper, AVP of Security Research at Guardicore, adding that such a move could help attackers extract credentials from the leaky Autodiscover requests.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

To test this behavior, Guardicore Labs acquired multiple Autodiscover domains with a TLD suffix and set them up to reach a webserverunder their control, and the results were surprising.

Severe security issue

In a little over four months, Guardicore managed to capture 96,671 unique credentials that leaked from various applications includingMicrosoft Outlook, mobileemail clientsand other applications, as they attempted to interface with Microsoft’s Exchange server.

Serper refers to this behavior as a “severe security issue” since it could enable an attacker with large-scale DNS-poisoning capabilities, such as state-sponsored actors, to syphon passwords by launching a large-scale DNS poisoning campaign based on the Autodiscover TLDs.

Moreover, although all the collected credentials came via unencrypted HTTP basic authentication connections, Serper shares details of an attack, which can even help them capture from more secure forms of authentication such as OAuth.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In an email statement toThe Record, Microsoft acknowledged that it is investigating Guardicore’s findings, adding however that the security company didn’t report it to Microsoft before sharing the details in public.

ViaThe Record

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Your doctor may have an AI assistant taking notes during your next Zoom call