Bugs in the implementation of Microsoft Exchange's Autodiscover feature have leaked approximately 100,000 login names and passwords for Windows domains worldwide.
In a new report by Amit Serper, Guardicore's AVP of Security Research, the researcher reveals how the incorrect implementation of the Autodiscover protocol, rather than a bug in Microsoft Exchange, is causing Windows credentials to be sent to third-party untrusted websites.
Before we get to the meat of the issue, it is important to take a quick look at Microsoft Exchange's Autodiscover protocol and how it's implemented.
What is Microsoft Exchange Autodiscover
Microsoft Exchange uses an
Autodiscover feature to automatically configure a user's mail client, such as Microsoft Outlook, with their organization's predefined mail settings.