Comments on: Hot Air and Publicity for Purported Autodiscover Security Flaw

By: Wlodzimierz

Wlodzimierz — Tue, 28 Sep 2021 07:52:14 +0000

Thank you for your great article Tony.

I can only confirm that also, we were unable to open up a similar autodiscover behavior in our network environment with outlook 2010 – 2019. As well, we checked the connection logs from our outlook programs on firewalls. We did not find any trace of connection with the domains autodiscover.com or autodiscover.pl in our case. We also tested some mobile clients, here also no traces of the “back-off” procedure.

I think that autodiscover “back-off” could be just a big fake and rumour 🙂

Regards,
IT Specialist

By: Tony Redmond

Tony Redmond — Mon, 27 Sep 2021 15:03:35 +0000

In reply to Robin Martin. Yep. But we don't know if the Outlook client is connected to Exchange Online or on-premises. We also don't know the configuration of the Outlook client (what add-ins are loaded and if those add-ins might use EWS to interact with Autodiscover). We also don't know the repro steps. i.e. is this something an average user might do or is it something that you need to take very precise steps in a certain order with a specific software configuration...

By: Tony Redmond

Tony Redmond — Mon, 27 Sep 2021 15:01:25 +0000

In reply to Cary Wagner. Well, we'll see when they reveal the data they have and the mechanisms used to capture the information...

By: Cary Wagner

Cary Wagner — Mon, 27 Sep 2021 14:55:12 +0000

In reply to Tony Redmond. Probably someone just looking for their 15 minutes of fame.

By: Robin

Robin — Mon, 27 Sep 2021 00:17:10 +0000

In reply to Robin Martin. And 16.0.9029 in another screenshot

By: Robin Martin

Robin Martin — Mon, 27 Sep 2021 00:14:08 +0000

For client, one of their screenshots of logs did say this version. But yes, not much detail.

(Windows+NT+10.0;+Microsoft+Outlook+16.0.13901;+Pro)
https://www.guardicore.com/labs/autodiscovering-the-great-leak/

By: Tony Redmond

Tony Redmond — Fri, 24 Sep 2021 08:06:30 +0000

In reply to harald. The interesting thing here is that your finding might point to a flaw in EWS that has been incorporated into third-party products (like Outlook add-ins, and indeed, some Outlook components) to create the issue. I am going to contact Microsoft to advise them of this and we'll see what they say (probably a response that they're checking things out).

By: harald

harald — Fri, 24 Sep 2021 08:00:17 +0000

In reply to Tony Redmond.

I worked backwards. I simply thought: how can such a request be created.

I suspect the domain information was deduced from the ip address of the request.

So the problem seems to be:
user enters a false mail domain
you own the mail domain
you have the credentials of the user (if the user uses basic authentication)

By: Tony Redmond

Tony Redmond — Fri, 24 Sep 2021 07:59:40 +0000

In reply to Joe. I like to think the best of everyone, but the lack of detail in the article is just so disappointing in terms of understanding what's really going on here.

By: Tony Redmond

Tony Redmond — Fri, 24 Sep 2021 06:54:48 +0000

In reply to harald. That's interesting... how did you discover that very important point?