by Duncan Riley
Discovered and detailed today byAmit Serper at ransomware protection company Guardicore Ltd., the issue relates to the Microsoft Autodiscover protocol. The protocol is a feature in Exchange email servers designed to ease the configuration of Exchange clients such as Outlook.
The feature allows an end-user to completely configure their Outlook client solely by providing their username and password while leaving the rest of the configuration to the Autodiscover protocol. That’s where the issue begins.
To get the automatic configurations, email clients ping a series of predetermined URLs. If the client doesn’t receive a response from those URLs, it then tries a “back-off” algorithm that uses Autodiscover with a top-level domain name.
Serper registered various domain names with the name Autodiscover in them and then ran honeypot servers to see what happened. Between April and August, those honeypots received hundreds of requests a day with thousands of credentials from users trying to set up email clients.