A design flaw in the Microsoft Exchange email server has been found to leak credentials to unauthenticated users.he issue relates to the Microsoft Autodiscover protocol. The protocol is a feature in Exchange email servers designed to ease the configuration of Exchange clients such as Outlook.

The issue relates to the Microsoft Autodiscover protocol introduced since 2007. The protocol is a feature in Exchange email servers designed to ease the configuration of Exchange clients such as Outlook. The feature allows an end-user to completely configure their Outlook client solely by providing their username and password while leaving the rest of the configuration to the Autodiscover protocol.

To get the automatic configurations, email clients ping a series of predetermined URLs. If the client doesn’t receive a response from those URLs, it then tries a “back-off” algorithm that uses Autodiscover with a top-level domain name.

The interesting issue with a large amount of the requests that we received was that there was no attempt on the client’s side to check if the resource is available or even exists on the server before sending an authenticated request. Over 3 lakh credentials got exposed range from food manufacturers, banks, power producers, shipping and logistics providers and more.

Microsoft has so far responded to the issue by saying that though it’s committed to coordinated vulnerability exposure, it was not informed of this issue before it went public.