Thousands of windows credentials leaked in Microsoft Exchange Autodiscover bug

Reading time icon 2 min. read

Readers help support Windows Report. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help Windows Report effortlessly and without spending any money. Read more

Key notes

  • Security experts have discovered a design flaw in Microsoft Exchange email server.
  • The bug has the capability of harvesting important credentials.
  • The bug resides in Microsoft Autodiscover protocol.
A message from our partner

To fix Windows PC system issues, you will need a dedicated tool

  • Download Fortect and install it on your PC
  • Start the tool's scanning process to look for corrupt files that are the source of your problem
  • Right-click on Start Repair so the tool could start the fixing algorythm
Download from Fortect has been downloaded by 0 readers this month, rated 4.4 on TrustPilot

It would seem that Microsoft users continue having woes when it comes to email-related issues. Just the other day, a bug was reported that had invaded Outlook. Then comes the latest invasion.

According to security researchers, the design flaw is in the Microsoft Exchange Email server which provides a leeway for attackers to harvest Windows domain and app credentials from users.


Amit Serper of AVP discovered the bug and after close investigation, it has been found to reside in the Microsoft Autodiscover protocol which is a feature that allows Automatic email server discovery and provides credentials for proper configuration.

The protocol is considered to be crucial  and gives admins access in ensuring clients use proper SMTP, LDAP, IMAP and WebDAV among other settings.

Back-off mechanism is the cause

Serper affirms that the back-off mechanism is the cause of the leak as it is always attempting to resolve the autodiscover part of the domain. It always fails making the autodiscover url that is automatically created reach the owner of the domain.

All captured credentials came with no encryption whatsoever in HTTP form. Serper advises users to use more secure forms of authentication such as NTLM and Oauth.

Microsoft is investigating the issue and will revert in due course.

What do you make of the latest bugs dominating emails? Are there ways you are protecting yourself from such vulnerabilities? Share with us in the comment section below.