Hundreds of Thousands of Windows Credentials Exposed by Microsoft Exchange Autodiscover Bug
                     Hundreds of Thousands of 
Windows Credentials Exposed by 
Microsoft Exchange Autodiscover 
Bug
www.infosectrain.com | [email protected]
It appears that Microsoft users are still encountering challenges with email-related 
concerns. A problem that has infiltrated Outlook was recently reported. Then there's 
the most recent invasion. A design vulnerability in a function of the Microsoft 
Exchange email server has been identified, which may be used to capture Windows 
domain and app credentials from users all over the world.
www.infosectrain.com | [email protected]
Amit Serper, AVP of Security Research at security firm Guardicore Labs, claimed he 
discovered credentials for firms from several industries when looking through the URLs 
that linked to their honeypots.
• Food manufacturers
• Investment banks
• Power plants
• Power delivery
• Real estate 
• Shipping and logistics
• Fashion and jewelry
• Publicly traded companies in the Chinese market
Serper revealed the findings of an investigation into Autodiscover, a technique used to 
authenticate to Microsoft Exchange servers and configure client access, on Wednesday. 
There are several versions of the protocol to choose from. Guardicore investigated a POX 
XML-based Autodiscover implementation and discovered a "design fault" that could be 
used to 'leak' web requests to Autodiscover domains outside of a user's domain as long 
as they were in the same top-level domain (TLD).
To test the protocol, the team initially registered and acquired a variety of TLD-based 
domains, such as Autodiscover.com.br, Autodiscover.com.cn, Autodiscover.com.fr, and 
Autodiscover.com.uk.
www.infosectrain.com | [email protected]
The researchers say they "were just waiting for HTTP requests for different Autodiscover 
endpoints to come" after assigning these domains to a Guardicore web server.
“The intriguing issue with a big portion of the requests we received was that there was 
no attempt on the client's side to check if the resource is available or even exists on the 
server before submitting an authenticated request,” Serper said in a study released 
today.
He also claims that the back-off mechanism is the source of the leak since it is always 
attempting to resolve the domain's Autodiscover section. It always fails to reach the 
domain owner using the Autodiscover url that is established automatically. In HTTP form, 
all of the credentials that were collected had no encryption at all. Serper recommends 
that customers utilize more secure authentication methods like NTLM and Oauth.
Security Training with InfosecTrain
InfosecTrain is a worldwide leader in IT security training and consultancy. Enroll in one of 
our security training courses to learn how to keep a healthy security posture and avoid 
security breaches. Our highly skilled instructors will provide you with all of the 
knowledge and skills you will need to assure preparedness and uncover methods to 
strengthen your response when the worst happens to your and your company's IT 
systems from unattended bugs and security attacks.
www.infosectrain.com | [email protected]
About InfosecTrain
• Established in 2016, we are one of the finest 
Security and Technology Training and 
Consulting company
• Wide range of professional training programs, 
certifications & consulting services in the IT 
and Cyber Security domain
• High-quality technical services, certifications 
or customized training programs curated with 
professionals of over 15 years of combined 
experience in the domain
www.infosectrain.com | [email protected]
Our Endorsements
www.infosectrain.com | [email protected]
Why InfosecTrain Global Learning Partners
Certified and Flexible modes Access to the 
Experienced Instructors of Training recorded 
sessions
Post training Tailor Made 
completion Training
www.infosectrain.com | [email protected]
Our Trusted Clients
www.infosectrain.com | [email protected]

Contact us
Get your workforce reskilled 
by our certified and 
experienced instructors!
IND: 1800-843-7890 (Toll Free) / US: +1 657-722-
11127  / UK : +44 7451 208413
[email protected]
www.infosectrain.com