Flaw in Microsoft Exchange Autodiscover Function Allows Clear-Text Leakage of Windows Credentials

Approximately 100,000 Windows users worldwide have had their credentials leaked due to a flaw in the Microsoft Exchange Autodiscover feature. The Autodiscover feature is used by Microsoft Exchange to automatically configure a user’s email client with their organization’s predefined mail settings. After a user enters their credentials into an email client, the program attempts to authenticate to multiple Exchange Autodiscover URLs. It’s during this process that clear-text credentials could be routed to third-party untrusted websites to be collected. This flaw was first revealed by Amit Serper, Area Vice President of Security Research at Guardicore. To mitigate against this bug, Serper recommends organizations using Microsoft Exchange should block all Autodiscover.[tld] domains at their firewall or DNS server. Access the full story at BleepingComputer.