SlideShare a Scribd company logo

Hundreds of Thousands of Windows Credentials Exposed by Microsoft Exchange Autodiscover Bug.pptx

Download as PPTX, PDF
infosec train
infosec train

It appears that Microsoft users are still encountering challenges with email-related concerns. A problem that has infiltrated Outlook was recently reported. https://www.infosectrain.com/courses/cissp-certification-training/

Education
1 of 10
Hundreds of Thousands of Windows Credentials Exposed by Microsoft Exchange Autodiscover Bug www.infosectrain.com | sales@infosectrain.com
www.infosectrain.com | sales@infosectrain.com It appears that Microsoft users are still encountering challenges with email-related concerns. A problem that has infiltrated Outlook was recently reported. Then there's the most recent invasion. A design vulnerability in a function of the Microsoft Exchange email server has been identified, which may be used to capture Windows domain and app credentials from users all over the world.
www.infosectrain.com | sales@infosectrain.com Amit Serper, AVP of Security Research at security firm Guardicore Labs, claimed he discovered credentials for firms from several industries when looking through the URLs that linked to their honeypots. • Food manufacturers • Investment banks • Power plants • Power delivery • Real estate • Shipping and logistics • Fashion and jewelry • Publicly traded companies in the Chinese market Serper revealed the findings of an investigation into Autodiscover, a technique used to authenticate to Microsoft Exchange servers and configure client access, on Wednesday. There are several versions of the protocol to choose from. Guardicore investigated a POX XML-based Autodiscover implementation and discovered a "design fault" that could be used to 'leak' web requests to Autodiscover domains outside of a user's domain as long as they were in the same top-level domain (TLD). To test the protocol, the team initially registered and acquired a variety of TLD-based domains, such as Autodiscover.com.br, Autodiscover.com.cn, Autodiscover.com.fr, and Autodiscover.com.uk.
www.infosectrain.com | sales@infosectrain.com The researchers say they "were just waiting for HTTP requests for different Autodiscover endpoints to come" after assigning these domains to a Guardicore web server. “The intriguing issue with a big portion of the requests we received was that there was no attempt on the client's side to check if the resource is available or even exists on the server before submitting an authenticated request,” Serper said in a study released today. He also claims that the back-off mechanism is the source of the leak since it is always attempting to resolve the domain's Autodiscover section. It always fails to reach the domain owner using the Autodiscover url that is established automatically. In HTTP form, all of the credentials that were collected had no encryption at all. Serper recommends that customers utilize more secure authentication methods like NTLM and Oauth. Security Training with InfosecTrain InfosecTrain is a worldwide leader in IT security training and consultancy. Enroll in one of our security training courses to learn how to keep a healthy security posture and avoid security breaches. Our highly skilled instructors will provide you with all of the knowledge and skills you will need to assure preparedness and uncover methods to strengthen your response when the worst happens to your and your company's IT systems from unattended bugs and security attacks.
About InfosecTrain • Established in 2016, we are one of the finest Security and Technology Training and Consulting company • Wide range of professional training programs, certifications & consulting services in the IT and Cyber Security domain • High-quality technical services, certifications or customized training programs curated with professionals of over 15 years of combined experience in the domain www.infosectrain.com | sales@infosectrain.com
Our Endorsements www.infosectrain.com | sales@infosectrain.com
Why InfosecTrain Global Learning Partners Flexible modes of Training Tailor Made Training Post training completion Certified and Experienced Instructors Access to the recorded sessions www.infosectrain.com | sales@infosectrain.com
Our Trusted Clients www.infosectrain.com | sales@infosectrain.com
Contact us Get your workforce reskilled by our certified and experienced instructors! IND: 1800-843-7890 (Toll Free) / US: +1 657-722-11127 / UK : +44 7451 208413 sales@infosectrain.com www.infosectrain.com

Recommended

Security & Compliance for Startups
Security & Compliance for StartupsSecurity & Compliance for Startups
Security & Compliance for Startups
Symosis Security (Previously C-Level Security)
 
Defenders of the Galaxy - Protecting the (Cloud) galaxy from threats.pptx
Defenders of the Galaxy - Protecting the (Cloud) galaxy from threats.pptxDefenders of the Galaxy - Protecting the (Cloud) galaxy from threats.pptx
Defenders of the Galaxy - Protecting the (Cloud) galaxy from threats.pptx
Matthew Levy
 
Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51
martinvoelk
 
Cyber security event
Cyber security eventCyber security event
Cyber security event
Tryzens
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Webinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosWebinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von Baggenstos
JenniferMete1
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
Rishabh Gupta
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 

Recommended

Security & Compliance for Startups
Security & Compliance for StartupsSecurity & Compliance for Startups
Security & Compliance for Startups
Symosis Security (Previously C-Level Security)
 
Defenders of the Galaxy - Protecting the (Cloud) galaxy from threats.pptx
Defenders of the Galaxy - Protecting the (Cloud) galaxy from threats.pptxDefenders of the Galaxy - Protecting the (Cloud) galaxy from threats.pptx
Defenders of the Galaxy - Protecting the (Cloud) galaxy from threats.pptx
Matthew Levy
 
Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51
martinvoelk
 
Cyber security event
Cyber security eventCyber security event
Cyber security event
Tryzens
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Webinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosWebinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von Baggenstos
JenniferMete1
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
Rishabh Gupta
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on Cloud
Tu Pham
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
LabSharegroup
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
Claranet UK
 
Brochure of ICSS
Brochure of ICSS Brochure of ICSS
Brochure of ICSS
International College of Security Studies
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity story
Microsoft Österreich
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
mikemcbryde
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
OpenText Cyber Resilience Fastrak
OpenText Cyber Resilience FastrakOpenText Cyber Resilience Fastrak
OpenText Cyber Resilience Fastrak
Marc St-Pierre
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
99X Technology
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
Nirosh Jayaratnam
 
Testing Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche ExposedTesting Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche Exposed
TechWell
 
Electronic Data Discovery
Electronic Data DiscoveryElectronic Data Discovery
Electronic Data Discovery
Sigma Infosolutions, LLC
 
Company_Profile_Updated_17032016
Company_Profile_Updated_17032016Company_Profile_Updated_17032016
Company_Profile_Updated_17032016
Dr. Afnan Ullah Khan
 
A 2020 Security strategy for Health Care Providers
A 2020 Security strategy for Health Care ProvidersA 2020 Security strategy for Health Care Providers
A 2020 Security strategy for Health Care Providers
Feisal Nanji
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developers
techtutorus
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
Joel Oleson
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured World
Jennifer Mary
 
SOC Specailist Training.pdf InfosecTrain
SOC Specailist Training.pdf InfosecTrainSOC Specailist Training.pdf InfosecTrain
SOC Specailist Training.pdf InfosecTrain
infosec train
 
CISSP Domain 1: 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐧𝐝 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭.pdf
CISSP Domain 1: 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐧𝐝 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭.pdfCISSP Domain 1: 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐧𝐝 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭.pdf
CISSP Domain 1: 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐧𝐝 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭.pdf
infosec train
 

More Related Content

Similar to Hundreds of Thousands of Windows Credentials Exposed by Microsoft Exchange Autodiscover Bug.pptx

Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
LabSharegroup
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
Claranet UK
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Testing Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche ExposedTesting Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche Exposed
TechWell
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
Joel Oleson
 

Similar to Hundreds of Thousands of Windows Credentials Exposed by Microsoft Exchange Autodiscover Bug.pptx (20)

System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on Cloud
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
Brochure of ICSS
Brochure of ICSS Brochure of ICSS
Brochure of ICSS
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity story
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
OpenText Cyber Resilience Fastrak
OpenText Cyber Resilience FastrakOpenText Cyber Resilience Fastrak
OpenText Cyber Resilience Fastrak
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
Testing Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche ExposedTesting Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche Exposed
 
Electronic Data Discovery
Electronic Data DiscoveryElectronic Data Discovery
Electronic Data Discovery
 
Company_Profile_Updated_17032016
Company_Profile_Updated_17032016Company_Profile_Updated_17032016
Company_Profile_Updated_17032016
 
A 2020 Security strategy for Health Care Providers
A 2020 Security strategy for Health Care ProvidersA 2020 Security strategy for Health Care Providers
A 2020 Security strategy for Health Care Providers
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developers
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured World
 

More from infosec train

Everything about APT29. pdf InfosecTrain
Everything about APT29. pdf InfosecTrainEverything about APT29. pdf InfosecTrain
Everything about APT29. pdf InfosecTrain
infosec train
 
AXIS Bank Credit Card Fraud.pdf infosectrain
AXIS Bank Credit Card Fraud.pdf infosectrainAXIS Bank Credit Card Fraud.pdf infosectrain
AXIS Bank Credit Card Fraud.pdf infosectrain
infosec train
 

More from infosec train (20)

SOC Specailist Training.pdf InfosecTrain
SOC Specailist Training.pdf InfosecTrainSOC Specailist Training.pdf InfosecTrain
SOC Specailist Training.pdf InfosecTrain
 
CISSP Domain 1: 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐧𝐝 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭.pdf
CISSP Domain 1: 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐧𝐝 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭.pdfCISSP Domain 1: 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐧𝐝 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭.pdf
CISSP Domain 1: 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐧𝐝 𝐑𝐢𝐬𝐤 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭.pdf
 
CRISC Domains Mind Map InfosecTrain .pdf
CRISC Domains Mind Map InfosecTrain .pdfCRISC Domains Mind Map InfosecTrain .pdf
CRISC Domains Mind Map InfosecTrain .pdf
 
Everything about APT29. pdf InfosecTrain
Everything about APT29. pdf InfosecTrainEverything about APT29. pdf InfosecTrain
Everything about APT29. pdf InfosecTrain
 
Top 10 Cyber Attacks 2024.pdf InfosecTrain
Top 10 Cyber Attacks 2024.pdf InfosecTrainTop 10 Cyber Attacks 2024.pdf InfosecTrain
Top 10 Cyber Attacks 2024.pdf InfosecTrain
 
Cloud Storage vs. Local Storage.pdf InfosecTrain
Cloud Storage vs. Local Storage.pdf InfosecTrainCloud Storage vs. Local Storage.pdf InfosecTrain
Cloud Storage vs. Local Storage.pdf InfosecTrain
 
Threat- Hunting-Tips .pdf InfosecTrain
Threat- Hunting-Tips .pdf InfosecTrainThreat- Hunting-Tips .pdf InfosecTrain
Threat- Hunting-Tips .pdf InfosecTrain
 
AXIS Bank Credit Card Fraud.pdf infosectrain
AXIS Bank Credit Card Fraud.pdf infosectrainAXIS Bank Credit Card Fraud.pdf infosectrain
AXIS Bank Credit Card Fraud.pdf infosectrain
 
Interpreting the Malicious Mind Motive Behind Cyberattacks.pdf
Interpreting the Malicious Mind Motive Behind Cyberattacks.pdfInterpreting the Malicious Mind Motive Behind Cyberattacks.pdf
Interpreting the Malicious Mind Motive Behind Cyberattacks.pdf
 
Cybersecurity Expert Training InfosecTrain.pdf
Cybersecurity Expert Training InfosecTrain.pdfCybersecurity Expert Training InfosecTrain.pdf
Cybersecurity Expert Training InfosecTrain.pdf
 
𝐃𝐚𝐭𝐚 𝐏𝐫𝐢𝐯𝐚𝐜𝐲 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞𝐬 & 𝐒𝐨𝐥𝐮𝐭𝐢𝐨𝐧𝐬!.pdf
𝐃𝐚𝐭𝐚 𝐏𝐫𝐢𝐯𝐚𝐜𝐲 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞𝐬 & 𝐒𝐨𝐥𝐮𝐭𝐢𝐨𝐧𝐬!.pdf𝐃𝐚𝐭𝐚 𝐏𝐫𝐢𝐯𝐚𝐜𝐲 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞𝐬 & 𝐒𝐨𝐥𝐮𝐭𝐢𝐨𝐧𝐬!.pdf
𝐃𝐚𝐭𝐚 𝐏𝐫𝐢𝐯𝐚𝐜𝐲 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞𝐬 & 𝐒𝐨𝐥𝐮𝐭𝐢𝐨𝐧𝐬!.pdf
 
CEH v12 Certification Training Guide.pdf
CEH v12 Certification Training Guide.pdfCEH v12 Certification Training Guide.pdf
CEH v12 Certification Training Guide.pdf
 
GRC Online Training by InfosecTrain.pdf
GRC Online Training by InfosecTrain.pdfGRC Online Training by InfosecTrain.pdf
GRC Online Training by InfosecTrain.pdf
 
PMP Certification Training Course.pdf
PMP Certification Training Course.pdfPMP Certification Training Course.pdf
PMP Certification Training Course.pdf
 
upcoming batches of InfosecTrain .pdf 01
upcoming batches of InfosecTrain .pdf 01upcoming batches of InfosecTrain .pdf 01
upcoming batches of InfosecTrain .pdf 01
 
Best SOC Career Guide InfosecTrain .pdf
Best SOC Career Guide InfosecTrain .pdfBest SOC Career Guide InfosecTrain .pdf
Best SOC Career Guide InfosecTrain .pdf
 
NIST CHECKLIST by InfosecTrain.pdf InfosecTrain
NIST CHECKLIST by InfosecTrain.pdf InfosecTrainNIST CHECKLIST by InfosecTrain.pdf InfosecTrain
NIST CHECKLIST by InfosecTrain.pdf InfosecTrain
 
PCI-DSS(Payment Card Industry Data Security Standard) Training .pdf
PCI-DSS(Payment Card Industry Data Security Standard) Training .pdfPCI-DSS(Payment Card Industry Data Security Standard) Training .pdf
PCI-DSS(Payment Card Industry Data Security Standard) Training .pdf
 
Types of Data Privacy by InfosecTrain.pdf
Types of Data Privacy by InfosecTrain.pdfTypes of Data Privacy by InfosecTrain.pdf
Types of Data Privacy by InfosecTrain.pdf
 
CEH v12 Online Certification Training.pdf
CEH v12 Online Certification Training.pdfCEH v12 Online Certification Training.pdf
CEH v12 Online Certification Training.pdf
 

Recently uploaded

Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 

Recently uploaded (20)

Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 

Hundreds of Thousands of Windows Credentials Exposed by Microsoft Exchange Autodiscover Bug.pptx

  • 1. Hundreds of Thousands of Windows Credentials Exposed by Microsoft Exchange Autodiscover Bug www.infosectrain.com | sales@infosectrain.com
  • 2. www.infosectrain.com | sales@infosectrain.com It appears that Microsoft users are still encountering challenges with email-related concerns. A problem that has infiltrated Outlook was recently reported. Then there's the most recent invasion. A design vulnerability in a function of the Microsoft Exchange email server has been identified, which may be used to capture Windows domain and app credentials from users all over the world.
  • 3. www.infosectrain.com | sales@infosectrain.com Amit Serper, AVP of Security Research at security firm Guardicore Labs, claimed he discovered credentials for firms from several industries when looking through the URLs that linked to their honeypots. • Food manufacturers • Investment banks • Power plants • Power delivery • Real estate • Shipping and logistics • Fashion and jewelry • Publicly traded companies in the Chinese market Serper revealed the findings of an investigation into Autodiscover, a technique used to authenticate to Microsoft Exchange servers and configure client access, on Wednesday. There are several versions of the protocol to choose from. Guardicore investigated a POX XML-based Autodiscover implementation and discovered a "design fault" that could be used to 'leak' web requests to Autodiscover domains outside of a user's domain as long as they were in the same top-level domain (TLD). To test the protocol, the team initially registered and acquired a variety of TLD-based domains, such as Autodiscover.com.br, Autodiscover.com.cn, Autodiscover.com.fr, and Autodiscover.com.uk.
  • 4. www.infosectrain.com | sales@infosectrain.com The researchers say they "were just waiting for HTTP requests for different Autodiscover endpoints to come" after assigning these domains to a Guardicore web server. “The intriguing issue with a big portion of the requests we received was that there was no attempt on the client's side to check if the resource is available or even exists on the server before submitting an authenticated request,” Serper said in a study released today. He also claims that the back-off mechanism is the source of the leak since it is always attempting to resolve the domain's Autodiscover section. It always fails to reach the domain owner using the Autodiscover url that is established automatically. In HTTP form, all of the credentials that were collected had no encryption at all. Serper recommends that customers utilize more secure authentication methods like NTLM and Oauth. Security Training with InfosecTrain InfosecTrain is a worldwide leader in IT security training and consultancy. Enroll in one of our security training courses to learn how to keep a healthy security posture and avoid security breaches. Our highly skilled instructors will provide you with all of the knowledge and skills you will need to assure preparedness and uncover methods to strengthen your response when the worst happens to your and your company's IT systems from unattended bugs and security attacks.
  • 5. About InfosecTrain • Established in 2016, we are one of the finest Security and Technology Training and Consulting company • Wide range of professional training programs, certifications & consulting services in the IT and Cyber Security domain • High-quality technical services, certifications or customized training programs curated with professionals of over 15 years of combined experience in the domain www.infosectrain.com | sales@infosectrain.com
  • 7. Why InfosecTrain Global Learning Partners Flexible modes of Training Tailor Made Training Post training completion Certified and Experienced Instructors Access to the recorded sessions www.infosectrain.com | sales@infosectrain.com
  • 8. Our Trusted Clients www.infosectrain.com | sales@infosectrain.com
  • 9.
  • 10. Contact us Get your workforce reskilled by our certified and experienced instructors! IND: 1800-843-7890 (Toll Free) / US: +1 657-722-11127 / UK : +44 7451 208413 sales@infosectrain.com www.infosectrain.com