It appears that Microsoft users are still encountering challenges with email-related concerns. A problem that has infiltrated Outlook was recently reported. Then there's the most recent invasion. A design vulnerability in a function of the Microsoft Exchange email server has been identified, which may be used to capture Windows domain and app credentials from users all over the world.
Amit Serper, AVP of Security Research at security firm Guardicore Labs, claimed he discovered credentials for firms from several industries when looking through the URLs that linked to their honeypots.
- Food manufacturers
- Investment banks
- Power plants
- Power delivery
- Real estate
- Shipping and logistics
- Fashion and jewelry
- Publicly traded companies in the Chinese market
Serper revealed the findings of an investigation into Autodiscover, a technique used to authenticate to Microsoft Exchange servers and configure client access, on Wednesday. There are several versions of the protocol to choose from. Guardicore investigated a POX XML-based Autodiscover implementation and discovered a "design fault" that could be used to 'leak' web requests to Autodiscover domains outside of a user's domain as long as they were in the same top-level domain (TLD).
To test the protocol, the team initially registered and acquired a variety of TLD-based domains, such as Autodiscover.com.br, Autodiscover.com.cn, Autodiscover.com.fr, and Autodiscover.com.uk.
The researchers say they "were just waiting for HTTP requests for different Autodiscover endpoints to come" after assigning these domains to a Guardicore web server.
“The intriguing issue with a big portion of the requests we received was that there was no attempt on the client's side to check if the resource is available or even exists on the server before submitting an authenticated request,” Serper said in a study released today.
He also claims that the back-off mechanism is the
source of the leak since it is always attempting to resolve the domain's
Autodiscover section. It always fails to reach the domain owner using the
Autodiscover url that is established automatically. In HTTP form, all of the
credentials that were collected had no encryption at all. Serper recommends
that customers utilize more secure authentication methods like NTLM and Oauth.
Security Training
with InfosecTrain
InfosecTrain is a worldwide leader in IT security
training and consultancy. Enroll in one of our security training courses to
learn how to keep a healthy security posture and avoid security breaches. Our
highly skilled instructors will provide you with all of the knowledge and
skills you will need to assure preparedness and uncover methods to strengthen
your response when the worst happens to your and your company's IT systems from
unattended bugs and security attacks.
