Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Microsoft Rushes To Register Autodiscover Domains Leaking Credentials

Microsoft Rushes To Register Autodiscover Domains Leaking Credentials

Microsoft is rushing to register Internet domains used to steal Windows credentials sent from faulty implementations of the Microsoft Exchange Autodiscover protocol.

On Monday, Guardicore’s Amit Serper released new research about how the issue caused the exposure of close to 100,000 unique Windows and email credentials.

When users configure their Exchange accounts on email clients, the app will attempt to authenticate to various Autodiscover URLs associated with Microsoft Exchange servers for their organization. If a successful authentication occurs, the Exchange server will send back settings that the mail client should use.

Microsoft Outlook using Autodiscover to retrieve settings
Microsoft Outlook using Autodiscover to retrieve settings

However, many mail clients, including some versions of Microsoft Outlook and Office 365, incorrectly implement the Autodiscover protocol causing them to try and authenticate to third-party autodiscover.[tld] URLs that are not related to a user’s organization.

Examples of such domains include autodiscover.com, autodiscover.uk, and autodiscover.de.

Threat actors could register autodiscover.[tld] domains and begin collecting the leaked Windows and email credentials for attacks against the organization.

Also Read: Personal Data Websites: 3 Things That You Must Be Informed

Microsoft rushes to register autodiscover domains

Research regarding faulty Microsoft Autodiscover protocol implementations leaking Windows credentials is not new, and Microsoft has been aware of the issue for years.

The research was first disclosed in a Black Hat Asia 2017 briefing, together with a formal research paper explaining the leaks. Other researchers also said they have reported the issue to Microsoft in the past and were told it was not a bug.

However, after Serper released his report, Microsoft issued a statement to BleepingComputer indicating that the information was new to them.

“We are actively investigating and will take appropriate steps to protect customers. We are committed to coordinated vulnerability disclosure, an industry standard, collaborative approach that reduces unnecessary risk for customers before issues are made public. Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today.” Jeff Jones, Sr. Director, Microsoft.

Since then, Microsoft has been rushing to register any autodiscover.[tld] domains it can find to prevent them from being used to steal Windows credentials.

Microsoft registering autodiscover domains
Microsoft registering autodiscover domains

At the time of this writing, BleepingComputer has confirmed that Microsoft registered at least 68 domains related to Autodiscover, which are listed below.

autodiscover.afautodiscover.tlautodiscover.pn
autodiscover.axautodiscover.gfautodiscover.pr
autodiscover.asautodiscover.tfautodiscover.re
autodiscover.agautodiscover.glautodiscover.rw
autodiscover.amautodiscover.gpautodiscover.lc
autodiscover.acautodiscover.gtautodiscover.pm
autodiscover.byautodiscover.gyautodiscover.st
autodiscover.bjautodiscover.htautodiscover.sn
autodiscover.biautodiscover.hnautodiscover.sc
autodiscover.cmautodiscover.hkautodiscover.sl
autodiscover.clautodiscover.jeautodiscover.sx
autodiscover.doautodiscover.keautodiscover.sk
autodiscover.tlautodiscover.lyautodiscover.sb
autodiscover.gfautodiscover.liautodiscover.so
autodiscover.tfautodiscover.mgautodiscover.so
autodiscover.glautodiscover.mwautodiscover.gs
autodiscover.afautodiscover.mqautodiscover.com.es
autodiscover.axautodiscover.ytautodiscover.org.es
autodiscover.asautodiscover.mnautodiscover.ch
autodiscover.agautodiscover.msautodiscover.tj
autodiscover.amautodiscover.maautodiscover.tg
autodiscover.acautodiscover.naautodiscover.tt
autodiscover.byautodiscover.nzautodiscover.ug
autodiscover.bjautodiscover.niautodiscover.vi
autodiscover.biautodiscover.ngautodiscover.uz
autodiscover.cmautodiscover.nfautodiscover.vu
autodiscover.clautodiscover.paautodiscover.vn
autodiscover.doautodiscover.peautodiscover.wf

BleepingComputer also knows of thirty-eight other domains registered since September 22nd whose owners are hidden behind privacy or WHOIS restrictions that were likely registered by Microsoft, researchers, or potentially threat actors.

The actual number of registered domains is likely far larger, as BleepingComputer has seen Microsoft register multiple autodiscover domains for the same TLD, such as autodiscover.com.es and autodiscover.org.es.

One domain, autodiscover.ch, has been registered since at least 2015 and uses microsoftonline.com as the DNS servers, but it is not clear who owns it.

Also Read: PDPA For Companies: Compliance Guide For Singapore Business

While registering autodiscover.[tld] domains will block some of the leaks, Microsoft will need to issue fixes for the poor Autodiscover implementation in their Microsoft Outlook and Office 365 mail clients to resolve the issue further.

As other non-Microsoft applications also have faulty protocol implementations, Microsoft will also have to release guidance on how to properly create Autodiscover URLs so that credentials are not sent to untrustworthy domains.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us