Outlook Bug Leads to Leak of Almost 100,000 Passwords

A security researcher working with Guardicore found a serious issue with the way the autodiscover feature is implemented in Microsoft's Exchange email server platform used for handling Outlook accounts.

Autodiscover is the service in Exchange that is responsible for the easy configuration of clients and protocols. It also allows users to go full application configuration of something like the Outlook client with just their email address and password, effectively migrating settings from the way their account is set up.

The research report called the security issue with autodiscover "severe" and explained that it allows threat actors to intercept credentials in their plain-text format.

Guardicore further explained the severity of the issue, detailing that a powerful threat actor, one with capabilities and resources backed up by a state, can run a massive DNS-poisoning campaign and periodically and methodically collect leaking passwords.

The research team at Guardicore registered nearly a dozen autodiscover top-level domains to be used as proof-of-concept testing beds for credentials hijacking. The domains were configured to connect to a server operated by the research team.

Within the span of less than six months, the team captured hundreds of thousands of Windows domain credentials and nearly 100,000 credentials leaking from various email applications, including Microsoft's own Outlook, as well as other software that can be configured to work with MS Exchange servers.

Finally, the research team was able to also force a new authentication method on the affected clients, allowing the researchers to intercept credentials in plain text format.

Microsoft accused Guardicore of disclosing the issue publicly before informing them about it first, but the team rebutted this with the claim that the issue was not new, it was just the first time it was exploited to such an extent and in such a large-scale setup.

September 27, 2021