A "design flaw" in Microsoft Exchange's Autodiscover protocol allowed researchers to access 372,072 Windows domain credentials and 96,671 unique sets of credentials from applications such as Microsoft Outlook and third-party email clients.
The discovery comes from Amit Serper, area vice president of security research for North America at security firm Guardicore. The credentials being leaked are valid Windows domain credentials used to authenticate to Microsoft Exchange servers. The source of the leaks is comprised of two issues, according to Serper. They include the design of Microsoft's Autodiscover protocol, specifically the "back-off" algorithm, and poor implementation of this protocol in some applications.
Autodiscover is a feature that allows automatic email server discovery and provides credentials for proper configuration. Serper says the design flaw causes the protocol to leak web requests to Autodiscover domains that are outside of the user's domain but in the same top-level domain.
"This is a severe security issue, since if an attacker can control such domains or has the ability to 'sniff' traffic in the same network, they can capture domain credentials in plain text," Serper says in a blog post on the findings. "Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically siphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs."
Guardicore's full report on the flaw, including recommendations for mitigation, can be found here.