Autodiscover, a Microsoft Exchange protocol, now has a vulnerability that miscreants can exploit, according to a security firm that discovered the loophole as part of their email security research efforts. If anyone uses the vulnerability, they can access sensitive credentials from the Exchange-connected client, in a threat akin to spear phishing. These sensitive credentials are Windows domain credentials that can authenticate Exchange servers. And malicious actors using the vulnerability for their nefarious activities can be a nightmare to any organization.
The design of the Autodiscover protocol and its incorrect implementation in some applications are the primary causes of this flaw that can put thousands of organizations at risk. Guardicore Labs, the firm that conducts email security and phishing protection research, captured more than 372,000 Windows domain credentials apart from almost 100,000 unique credentials from various other applications. However, adequate awareness and appropriate configuration can solve the issue.
What is Microsoft Exchange Autodiscover?
The Autodiscover service reduces configuration and allows email clients to discover and obtain configurations from Exchange servers automatically. It is used to secure the connection with mailboxes of Exchange users to access features like email forwarding, offline address book, and unified messaging. Email clients can discover servers and provide credentials to receive the correct configurations for various email services.
Microsoft initially introduced the Autodiscover service to solve a significant problem. Administrators had to configure Exchange servers manually, and more configurations were needed to use the latest features offered by Outlook 2003. These configurations were cumbersome, repetitive tasks. As manual configuration became difficult and risked email security, Microsoft launched Outlook 2007 with Autodiscover.
It became an integral protocol in all Outlook clients as it quickly discovers the server holding a user’s mailbox and configures the client to connect to the server.
How Was This Loophole Discovered?
Guardicore, a firm that offers security solutions, such as phishing and ransomware protection, discovered this credential-exposing loophole leak during its email security research. They obtained eleven domains and assigned them to a web server. After waiting for web requests for Autodiscover endpoints, the research team observed several requests from multiple IP addresses, domains, and clients to Autodiscover endpoints. These requests were for the relative path /Autodiscover/Autodiscover.xml.
Surprisingly, the Authorization header associated with these requests included credentials in HTTP Basic Authentication. The organization captured many credentials by sending packets to establish server-client sessions.
The logs of the HTTP server revealed that the server requested HTTP Basic Authentication. The victim did not realize that they were under attack and was redirected to the Autodiscover server, requesting authentication through a prompt. The victim entered their credentials in the prompt dialog box, and the information was sent to the attacking firm’s server, as in a spear-phishing attack.
Why Should Organizations Be Concerned & What Are The Consequences?
The scale of a possible attack exploiting this email security vulnerability can be enormous. The implications of this flaw in design can be massively grave if an attacker accesses high-level Autodiscover domains. The malicious actor can exploit Autodiscover requests to possess critical and sensitive domain credentials in such an event. These credentials in the hands of threat actors can lead to many undesirable consequences, including massive data breaches, holding something ransom, DDOS attacks, and much more. Even though Microsoft introduced the feature with the Exchange 2007 version, it is unclear how long the vulnerability existed.
How To Plug The Loophole?
Two parties must implement email security measures to protect against the Autodiscover leak. One party is the general users and the other, developers who use the Autodiscover feature in their system. The public users have devices with Exchange-based software (Outlook, ActiveSync, etc.) installed. They must ensure that they are actively blocking domains in their firewall. The domains to be blocked are Autodiscover domains, such as Autodiscover.com, Autodiscover.com.cn, etc. Guardicore has compiled a comprehensive list of top-level domains, which is available here. Users can add these domains to the host’s file or firewall configuration.
A list of examples of Autodiscover domains to be blocked is given below. They belong to various countries across the world.
- Autodiscover.com.br – Brazil
- Autodiscover.com.cn – China
- Autodiscover.com.co – Columbia
- Autodiscover.es – Spain
- Autodiscover.fr – France
- Autodiscover.in – India
- Autodiscover.it – Italy
- Autodiscover.sg – Singapore
- Autodiscover.uk – The United Kingdom
Users should also ensure that basic authentication support, HTTP basic authentication, is disabled. It should be done to ensure that user credentials are not sent to the server. Developers implementing the Autodiscover feature should ensure that they are not letting the protocol fail upwards. The “back-off” algorithm should not be allowed to construct domains such as “Autodiscover.”
The design flaw in the Autodiscover feature can have grave consequences and put thousands of organizations at risk. The risk is heightened as many devices are used remotely outside organizational networks. Even though this feature aims to help organizations set up easy connections to Exchange, it puts many users at an email security risk. If malicious actors use the vulnerability to attack organizations, the magnitude of the resultant loss could be enormous.
However, the good news is that organizations can plug this vulnerability through proper configurations. Organizations should continue securing their network and devices from such vulnerabilities and take steps towards keeping the organization’s critical information assets secure from threats such as ransomware and phishing attempts. Software manufacturers should also ensure that they have educated developers onboard, trained on creating and testing secure code. Software manufacturers should also keep analyzing their old and new products for lurking Autodiscover vulnerabilities and other possible email security risks.