Microsoft Exchange Autodiscover exposing credentials
Implementations of Microsoft Exchange’s Autodiscover protocol are leaking credentials to external domains.
This means that if a client tries to authenticate to the Microsoft Exchange server and is unsuccessful, a “back-off” procedure in some mail clients will attempt to create additional URLs to authenticate to.
For example, if the client attempts to authenticate using the expected URLs and is unsuccessful, the Autodiscover protocol will try to authenticate to other Top Level Domains derived from the email address.
Hence, email@example.com will attempt to authenticate to:
This procedure may cause the client to attempt to authenticate to a domain not owned by the organisation. This means that whoever owns the domain can collect the credentials sent to it.
Mail clients incorrectly implementing Microsoft Exchange’s Autodiscover protocol, such as Microsoft Outlook.
What to look for
How to tell if you're affected
If your mail client implements the “back-off” procedure in Microsoft Exchange’s Autodiscover protocol.
What to do
Firewall off access to the domains: autodiscover. [TLD/ccTLD]
For example, the mail domain <domain>.co.nz will need to block traffic to both autodiscover.co.nz and autodiscover.nz, while the mail domain <domain>.nz will need to block traffic to autodiscover.nz.
Disable basic authentication where possible.
After firewalling the domains we would recommend you change your domain account passwords.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.