![]() ![]() There is also no attempt on the client’s side to check if the resource is available, or even exists on the server, before sending an authenticated request. The unsuspecting user trying to set up their Exchange account is just sending their credentials to an unknown server. To complete the mess, there is no login procedure required on the server side. This gives whoever owns the domain a huge opportunity.Īnd the same is true for other Autodiscover top-level domains (TLDs) too, such as autodiscover.es, which will receive requests from all unresponsive. To accomplish this the Autodiscover protocol looks for a valid Autodiscover URL in these formats, where the is replaced by the domain name (the part after the in the users’s email address: ![]() The protocol’s goal is to make an end-user be able to completely configure their Outlook client solely by providing their username and password and leave the rest of the configuration to Microsoft Exchange’s Autodiscover protocol. Because cybercriminals love such features and use them for their own purposes. Designed to make the user’s life easier while forgetting that such designs need to be done with security in mind. Which boils down to a feature of Exchange email servers that allows email clients to automatically discover email servers, provide credentials, and then receive proper configurations. Autodiscover works for client applications that are inside or outside firewalls and in resource forest and multiple forest scenarios”. However, Autodiscover can also provide information to configure clients that use other protocols. For Exchange Web Services (EWS) clients, Autodiscover is typically used to find the EWS endpoint URL. What is Autodiscover?įrom Microsoft’s site we learn that “the Autodiscover service minimizes user configuration and deployment steps by providing clients access to Exchange features. The credentials that are being leaked are valid Windows domain credentials used to authenticate to Microsoft Exchange servers. Researchers have been able to get hold of 372,072 Windows domain credentials, including 96,671 unique credentials, in slightly over 4 months by setting up a Microsoft Exchange server and using Autodiscover domains.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |