Description
- Type: CUSTOMER
- Severity: WARNING
- Protection against: Misconfiguration (Human Error)
- CIS: -
This Customer Check verifies whether autodiscover is correctly configured for your email domains.
Why this check?
Email programs like Microsoft Outlook make it easy to correctly fill in the settings of your mailbox. This is done through the Autodiscover protocol. When you enter your email address, the program will search the internet for the correct server where your email can be downloaded, starting at http://autodiscover.<yourdomain> but also on other variants.
It has been found that this functionality can be abused. This is possible when the owner of a domain has forgotten to correctly configure Autodiscover in DNS. The abuse can result in your login credentials falling into the wrong hands. More information about the leak can be found in the publication of the research that discovered it, Amit Serper from Guardicore.
This check therefore verifies whether Autodiscover is correctly configured for all your email domains.
What are the possible outcomes of the check?
This check has three possible outcomes. In Attic, this is reflected as follows:
- Okay: Autodiscover is correctly configured for all your email domains
- Warning: Autodiscover for your primary domain is not correctly configured
- Error: Autodiscover is not correctly configured for one or more non-primary domains
How should this be followed up?
If the output is Warning , it means that the domain your employees log in with is vulnerable to abuse. We advise resolving this issue urgently. In the case of Error, it concerns secondary domains, where the risk of leaking login credentials is smaller, but it is still good to correctly configure Autodiscover.
Autodiscover must be configured within the DNS configuration of the relevant domain. Therefore, contact the administrator of that configuration to resolve this.
The record that should exist in your DNS is:
- name: autodiscover
- type: CNAME
- target: autodiscover.outlook.com
Correctly configuring this DNS record is not a guarantee against abuse. The DNS server used by a particular employee could, for example, be abused to redirect to a rogue server. There are some additional controls possible to further reduce the risk of abuse. See Guardicore's recommendations for this:
https://www.guardicore.com/labs/autodiscovering-the-great-leak/
Comments
0 comments
Please sign in to leave a comment.