A bug in the Microsoft Exchange mail server has been detected recently by the security researchers of the Guardicore. This issue has occurred in the leaking of domain credentials and Windows applications all over the world.
However, the main difficulty lazes in the protocol of the Microsoft Autodiscover characteristic of the Microsoft Exchange mail servers, this feature enables email clients to automatically detect mail servers, provide credentials, and then receive the exact configurations.
The Exchange’s Autodiscover protocol was initially created with the purpose to implement proper methods for clients so that they can easily configure their Exchange client applications.
But, the users have to go through several sets so that they can configure a mail client, and here they mentioned below:-
- Username and password.
- The hostnames/IP addresses of the mail/Exchange servers.
- In some cases, additional settings are required (Miscellaneous LDAP settings, WebDAV calendars, etc.).
Exploiting the leak
To check in case the Autodiscover leak scenario is viable or not, the cybersecurity analysts have eventually purchased some domains that we have mentioned below:-
- Autodiscover.com.br – Brazil
- Autodiscover.com.cn – China
- Autodiscover.com.co – Columbia
- Autodiscover.es – Spain
- Autodiscover.fr – France
- Autodiscover.in – India
- Autodiscover.it – Italy
- Autodiscover.sg – Singapore
- Autodiscover.uk – United Kingdom
The ol’ switcheroo
During the investigation, the logs of the HTTP server were noted that can be distinctly seen that the customer is successfully get minimized after getting the HTTP 401 response from the server, and it also suggested they use HTTP Basic Authentication while checking.
Data and sectors abused
The final report claimed that Guardicore has collected 372,072 credentials for Windows domains and 96,671 unique login/passwords from multiple applications such as Microsoft Outlook.
And apart from this, all these data belong to the sectors that we have mentioned below:-
- Food manufacturers
- Investment banks
- Power plants
- Real estate companies
- Logistics companies
- Public companies in the Chinese market
Moreover, the experts have suggested some mitigation for the clients, and also affirmed that all the mitigations are to be followed by the customers carefully:
- The important point is that the procedure requires to be performed by the general public those who specifically use Exchange-based technologies such as Outlook or ActiveSync.
- General customers should be assured that they are actively blocking Autodiscover domains in your firewall like Autodiscover.com/Autodiscover.com.cn, etc.
- For software vendors and developers always remember, that while performing the Autodiscover protocol in your commodity you are not engaging it “fail upwards”, indicating that domains such as “Autodiscover.”
While by applying various techniques the threat actors will trick users to send their credentials. But, outside of the organization’s perimeter, the passwords can be leaked due to the IT department’s operations protocols.
All these protocols are related to the email client configuration without anyone from the IT or security department. So, this clearly depicts that how it’s important to deeply conventional segmentation and Zero trust.