Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Microsoft Exchange Autodiscover Bug Leaks Hundreds of Thousands of Domain Credentials

Security researchers have discovered a design flaw in a feature of the Microsoft Exchange email server that can be abused to harvest Windows domain and app credentials from users across the world. Discovered by Amit Serper, AVP of Security Research at security firm Guardicore, the bug resides in the Microsoft Autodiscover protocol, a feature of Exchange email servers that allows email clients to automatically discover email servers, provide credentials, and then receive proper configurations. The protocol is a crucial part of Exchange email servers as it allows admins an easy way to make sure email clients use the proper settings. But to get these automatic configurations, email clients typically ping a series of predetermined URLs derived from the user’s email address domain. Serper said he found that this autodiscovery mechanism used a “back-off” procedure in case it doesn’t find the Exchange server’s Autodiscover endpoint on the first try. Based on his finding, Serper said he registered a series of Autodiscover-based top-level domains that were still available online. The researcher said Guardicore ran honeypots on these servers in order to understand the scale of the problem. For more than four months, between April 16, 2021, and August 25, 2021, Serper said these servers received hundreds of requests, complete with thousands of credentials, from users that were trying to set up their email clients, but their email clients were failing to find their employer’s proper Autodiscover endpoint.

Analyst Notes

Design flaws in critical technologies can be common. Sometimes there is no precaution end users can take that would prevent credentials from being leaked. This is why it is so important for organizations to have defense in depth, segregated connections for users who do not require unrestricted Internet access, and flagging on unusual domains as part of a perimeter security program. As always, it is important to have good endpoint monitoring and behavioral detections, and having a SOC to triage alerts, such as a service like Binary Defense.