Autodiscover external leak → credential harvest

§ Context

Assumed environment: target organisation uses Outlook / Exchange with on-prem Autodiscover. The TLD fallback domain (autodiscover.com / autodiscover.org / similar) is registerable by the attacker.

§ Steps

1. 01
   Authenticate to OWA / EWSInitial Access

   T1078— Valid Accounts
2. 02
   Serve autodiscover XML to clientsCommand and Control

   T1071— Application Layer Protocol
3. 03
   Register the public autodiscover fallback domainResource Development

   T1583— Acquire Infrastructure
4. 04
   Log harvested credentialsCollection

   T1056— Input Capture
5. 05
   Misconfigured Outlook posts Basic-auth credsCredential Access

   EX-AUTODISCOVER-LEAK— Autodiscover Domain Hijack

§ References

• T1078Valid Accounts
• T1071Application Layer Protocol
• T1583Acquire Infrastructure
• T1056Input Capture

§ Frequently asked

What is the "Autodiscover external leak → credential harvest" attack path?

Mis-implemented Autodiscover falls back to autodiscover.<TLD>; register that domain externally, harvest plaintext Basic-auth credentials from clients that haven't been patched / configured properly. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Authenticate to OWA / EWS (T1078) — a initial access primitive. Assumed environment: target organisation uses Outlook / Exchange with on-prem Autodiscover.

What is the final impact of this kill-chain?

The final step lands on Misconfigured Outlook posts Basic-auth creds (EX-AUTODISCOVER-LEAK), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  IMSI catcher → force 2G downgrade → SMS / call intercept

  Operate a rogue base station in the target area. Phones associate; force fallback to 2G where no mutual auth is required. Intercept SMS OTPs, sniff voice calls, push notifications fail silently.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.

• Shared techniques2

  Build-system implant → signed supply-chain backdoor (SolarWinds-class)

  Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.

• Shared techniques2

  Process hollowing → run beacon in svchost shell

  Spawn svchost.exe suspended, unmap its image, write attacker PE into the same address space, resume — the process keeps a legit-looking PEB and command line but executes beacon code.

• Shared techniques2

  AMSI patch → in-memory .NET / PowerShell stager

  Patch AmsiScanBuffer in amsi.dll → return clean for any content. Subsequent PowerShell / Office VBA / .NET runtime calls emit attacker code without scanning.

• Shared techniques2

  certutil + bitsadmin → AV-friendly stager chain

  Initial access dropped a tiny .bat. It uses certutil to decode a base64 blob and bitsadmin to fetch the real beacon, then schtasks for persistence. Every binary is signed Microsoft.