Comments on: Hot Air and Publicity for Purported Autodiscover Security Flaw https://practical365.com/hot-air-and-publicity-for-purported-autodiscover-security-flaw/ Practical Office 365 News, Tips, and Tutorials Sun, 24 Apr 2022 03:06:57 +0000 hourly 1 https://wordpress.org/?v=6.3.2 By: Wlodzimierz https://practical365.com/hot-air-and-publicity-for-purported-autodiscover-security-flaw/#comment-236738 Tue, 28 Sep 2021 07:52:14 +0000 https://practical365.com/?p=53561#comment-236738 Thank you for your great article Tony.

I can only confirm that also, we were unable to open up a similar autodiscover behavior in our network environment with outlook 2010 – 2019. As well, we checked the connection logs from our outlook programs on firewalls. We did not find any trace of connection with the domains autodiscover.com or autodiscover.pl in our case. We also tested some mobile clients, here also no traces of the “back-off” procedure.

I think that autodiscover “back-off” could be just a big fake and rumour 🙂

Regards,
IT Specialist

]]>
By: Tony Redmond https://practical365.com/hot-air-and-publicity-for-purported-autodiscover-security-flaw/#comment-236731 Mon, 27 Sep 2021 15:03:35 +0000 https://practical365.com/?p=53561#comment-236731 In reply to Robin Martin.

Yep. But we don’t know if the Outlook client is connected to Exchange Online or on-premises. We also don’t know the configuration of the Outlook client (what add-ins are loaded and if those add-ins might use EWS to interact with Autodiscover). We also don’t know the repro steps. i.e. is this something an average user might do or is it something that you need to take very precise steps in a certain order with a specific software configuration…

]]>
By: Tony Redmond https://practical365.com/hot-air-and-publicity-for-purported-autodiscover-security-flaw/#comment-236730 Mon, 27 Sep 2021 15:01:25 +0000 https://practical365.com/?p=53561#comment-236730 In reply to Cary Wagner.

Well, we’ll see when they reveal the data they have and the mechanisms used to capture the information…

]]>
By: Cary Wagner https://practical365.com/hot-air-and-publicity-for-purported-autodiscover-security-flaw/#comment-236728 Mon, 27 Sep 2021 14:55:12 +0000 https://practical365.com/?p=53561#comment-236728 In reply to Tony Redmond.

Probably someone just looking for their 15 minutes of fame.

]]>
By: Robin https://practical365.com/hot-air-and-publicity-for-purported-autodiscover-security-flaw/#comment-236725 Mon, 27 Sep 2021 00:17:10 +0000 https://practical365.com/?p=53561#comment-236725 In reply to Robin Martin.

And 16.0.9029 in another screenshot

]]>
By: Robin Martin https://practical365.com/hot-air-and-publicity-for-purported-autodiscover-security-flaw/#comment-236724 Mon, 27 Sep 2021 00:14:08 +0000 https://practical365.com/?p=53561#comment-236724 For client, one of their screenshots of logs did say this version. But yes, not much detail.

(Windows+NT+10.0;+Microsoft+Outlook+16.0.13901;+Pro)
https://www.guardicore.com/labs/autodiscovering-the-great-leak/

]]>
By: Tony Redmond https://practical365.com/hot-air-and-publicity-for-purported-autodiscover-security-flaw/#comment-236706 Fri, 24 Sep 2021 08:06:30 +0000 https://practical365.com/?p=53561#comment-236706 In reply to harald.

The interesting thing here is that your finding might point to a flaw in EWS that has been incorporated into third-party products (like Outlook add-ins, and indeed, some Outlook components) to create the issue. I am going to contact Microsoft to advise them of this and we’ll see what they say (probably a response that they’re checking things out).

]]>
By: harald https://practical365.com/hot-air-and-publicity-for-purported-autodiscover-security-flaw/#comment-236705 Fri, 24 Sep 2021 08:00:17 +0000 https://practical365.com/?p=53561#comment-236705 In reply to Tony Redmond.

I worked backwards. I simply thought: how can such a request be created.

I suspect the domain information was deduced from the ip address of the request.

So the problem seems to be:
user enters a false mail domain
you own the mail domain
you have the credentials of the user (if the user uses basic authentication)

]]>
By: Tony Redmond https://practical365.com/hot-air-and-publicity-for-purported-autodiscover-security-flaw/#comment-236704 Fri, 24 Sep 2021 07:59:40 +0000 https://practical365.com/?p=53561#comment-236704 In reply to Joe.

I like to think the best of everyone, but the lack of detail in the article is just so disappointing in terms of understanding what’s really going on here.

]]>
By: Tony Redmond https://practical365.com/hot-air-and-publicity-for-purported-autodiscover-security-flaw/#comment-236702 Fri, 24 Sep 2021 06:54:48 +0000 https://practical365.com/?p=53561#comment-236702 In reply to harald.

That’s interesting… how did you discover that very important point?

]]>