»New message« symbol in Outlook (archive image)
Photo: Jan-Philipp Strobel / dpa
Microsoft wants to make it easy for its users.
In many cases, it is therefore sufficient to enter your e-mail address into programs such as Outlook so that they can automatically configure themselves to query e-mails from the e-mail account in question.
It's nice and easy, but there is a catch to the convenience: In the past few months, the login details of many such e-mail accounts have fallen into the trap of a researcher, completely unnoticed.
Security expert Amit Serper from the IT service provider Guardicore said that between April and August he intercepted the access data to almost 100,000 Windows accounts that had been sent through the network by Microsoft Outlook and other e-mail programs.
The problem is therefore the so-called autodiscover function that Microsoft offers to make it easier to set up e-mail programs in conjunction with so-called Exchange servers.
Instead of having to grapple with things like SMTP, IMAP and LDAP, this function ensures that the software queries and enters the necessary configuration data from the server itself.
The software keeps searching
The software uses the so-called domain, which is the back part of the e-mail address, to search for the configuration data.
For the email address
, the program would first request addresses such as autodiscover.beispiel.de and example.de.
If the page responds, the setup works.
However, if the search comes to nothing, it becomes risky.
In such a case, the software persistently searches for a solution by composing
from the domain - in our example
and the top-level domain - in our example .de - and searching them for the Autodiscover data.
Serper took advantage of this and acquired domains such as autodiscover.es for Spain and autodiscover.uk for Great Britain.
His team installed web servers on these decoy pages, waiting for misdirected search queries.
"To our surprise, we saw a considerable number of requests from Autodiscover devices," writes Serper.
The team even managed to get the e-mail clients to send login data to the decoy server via unsecured HTTP connections.
So they were able to intercept usernames and passwords in clear text, which is particularly dangerous since the Outlook logins mostly correspond to the Windows login data of the users.
This is how companies can protect themselves
In an interview with SPIEGEL, computer science professor Richard Zahoransky said: "It's a serious vulnerability that Microsoft should take care of." too much «to make it easier for the user.
"That's a problem."
Zahoransky says Microsoft has to stop looking for Autodiscover hosts sooner.
»Inquiries may not be made to publicly registrable domain names.« Only the URL behind the @ sign should be checked, everything else could be beyond the control of the respective company.
Employees are best protected if their company provides an Autodiscover file at the address expected by the software.
The Guardicore team also recommends IT administrators block any Autodiscover websites on any list they have compiled.
In addition, the so-called standard authentication of the Exchange server should be switched off so that login data cannot be transmitted unencrypted.
Hackers warned years ago
At the request of SPIEGEL, Microsoft referred to company spokesman Jeff Jones, who said: "We are investigating the matter intensively and are taking appropriate steps to protect the customers." Jones complains, however, that the problem was not reported to the Microsoft security team before the Media have been informed.
Serper responded to the allegation by tweeting that it was a known issue.
Hackers had denounced the risks around five years ago.
At that time, the scientists came to the conclusion that "programs that blindly send login data with Autodiscover requests enable even inexperienced attackers to collect large amounts of sensitive user data ... that could later be used for other types of attacks."
At that time, the researchers intercepted up to two million inquiries per month.
Assuming that attackers have set traps again and again since then, "theoretically a lot has been tapped in the meantime," says IT professor Richard Zahoransky.