'What I found was that there were a bunch of email clients including Outlook that were more than happy to pass over their credentials to a web server within your domain tree and what Guardicore found was that in many cases it kept going up the tree to the TLD, meaning you were no longer just worrying about your own web server (or the server that hosted your domain),' explained van Beek in an email to The Register. Last week, security firm Guardicore offered its take on the problem with the Autodiscover protocol, explaining that the 'back off' mechanism for resolving domain names makes it trivial to set up servers on Autodiscover TLDs to intercept hundreds of thousands of credential transmissions from systems that haven't been properly secured.
He attached an explanatory PDF with his note, which described the behavior of Microsoft Autodiscover protocol when email client software tries to add a new Exchange account.
His proof-of-concept exploit code, which affected Outlook (both Mac and PC), default email apps for Android and iOS, Apple Mail for Mac OS X, and others, consisted of 11 lines of PHP, though he insisted the exploit probably could have been reduced to three lines.