Exchange Autodiscover feature can cause Outlook to leak credentials

This article has been indexed from CSO Online

Security researchers warn that a design issue in how the Microsoft Exchange Autodiscover feature works can cause Outlook and other third-party Exchange client applications to leak plaintext Windows domain credentials to external servers. The risk is significantly higher for devices that are used outside of corporate networks, a common scenario during the pandemic.

The goal of Microsoft’s Autodiscover protocol for Exchange is to help client applications to configure their connection to Exchange automatically. To do this, they rely on a remote configuration file hosted on what is intended to be a company domain. However, because of a design issue that has been highlighted in the past as well, the protocol can end up searching for the configuration on external domains that are or can be registered by anyone.

To read this article in full, please click here

Read the original article: Exchange Autodiscover feature can cause Outlook to leak credentials