Microsoft Exchange service exposes nearly 100,000 names and logins

This appears to be an Autodiscover bug and not an Autodiscover feature.

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

What you need to know

What you need to know

The Autodiscover feature in Microsoft Exchange is resulting in a bit more information being exchanged than users likely hoped for. In short,Guardicorereports that the Autodiscover protocol’s improper implementation has led to “96,671 unique credentials” being leaked (viaBleepingComputer).

Here’s an aggressively simplified overview of how the leaks happened: Imagine an Exchange user signs into a mail client (Outlook, for example). Said client will try to ensure Exchange Autodiscover URLs are legitimate. That user’s login details are then sent to the URLs in question.

However, because of the procedures of some mail clients, theAutodiscover protocolresults in untrusted domains receiving authentication attempts. Andthatmeans that the untrusted domain’s owners can collect the data they wrongly received and do whatever they want with it.

That’s how the leak occurs, and how 96,671 credentials have gone places they shouldn’t have. You can read Guardicore’s full report for the nitty-gritty details, but that’s a general summary of the situation.

When BleepingComputer reached out to Microsoft about the issue, this was Senior Director of Communications Jeff Jones' response:

We are actively investigating and will take appropriate steps to protect customers. We are committed to coordinated vulnerability disclosure, an industry standard, collaborative approach that reduces unnecessary risk for customers before issues are made public. Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today.

Microsoft has repeatedly reminded everyone toplay it smart with Exchange, though in this particular instance, it’s not clear how exactly users can do anything on their end for added protection. We’ll update the story if the company updates its guidance regarding the current situation.

Get the Windows Central Newsletter

Get the Windows Central Newsletter

All the latest news, reviews, and guides for Windows and Xbox diehards.

Robert Carnevale is the News Editor for Windows Central. He’s a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author ofCold War 2395. Have a useful tip? Send it to robert.carnevale@futurenet.com.