Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account? I'm sure they pinky promise they keep your credentials secure, but this feels like it breaks all sorts of security/privacy expectations.
> Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account?
Not just an “outlook account” - any account in outlook, with default settings at least.
I run a mail server, mainly for me but a couple of friends have accounts on there too, and a while ago one friend reported apparently being locked out and it turned out that it was due to them switching Outlook versions and it was connecting via a completely different address to those that my whitelists expected sometimes at times when they weren't even actively using Outlook. Not only were active connections due to their interactive activity being proxied, but the IMAP credentials were stored so the MS server could login to check things whenever it wanted (I assume the intended value-add there is being able to send new mail notifications on phones/desktops even when not actively using mail?).
> but this feels like it breaks all sorts of security/privacy expectations.
It most certainly does. The behaviour can be tamed somewhat, but (unless there have been recent changes) is fully enabled by default in newer Outlook variants.
The above-mentioned friend migrated his mail to some other service in a huf as I refused to open my whitelist to “any old host run by MS” and he didn't want to dig in to how to return behaviour back to the previous “local connections only, not sending credentials off elsewhere where they might be stored”.
Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.
It looks like Microsoft Edge had the _ability to disable_ this added in 2020 or 2021, but it isn't currently the default and the Group Policy unintuitively only applies to unencrypted HTTP Connections.
It's more common than you might think. I know of at least one popular email client that stores your credentials on their servers to enable features like multi-account sync and scheduled sending.
Already many years ago I remember installing a firewall on my phone and noticing in surprise that Outlook was not connecting at all to my private mail server, but instead only sending my credentials to their cloud and downloading messages from there.
The only Android mail client not making random calls to cloud servers was (back then) K-9 Mail.
I think the curl -u switch just requires the password field to be filled, there obviously isn't a legit user account test@example.com with a password of password either at microsoft or at the Japanese imap server.
Not surprised. They used to have training material incentivizing professionals to use .local as TLD for Active Directory realms. Thats a reserved domain for Multicast DNS.
Working on Linux automation systems we would need to make sure to disable anything related to Avahi in our images otherwise name resolution would fail for some customers.
Haven't they been telling people to do that since before it became reserved? If so, the problem is more that you can't "reserve" something that's already in wide use, and mdns should've used something like .mdns.
It's like when .dev became a gTLD, knowingly breaking a bunch of setups for a mix of vanity and a cash grab. Obviously dropped the ball on the engineering side.
Just a guess but why do I get the feeling it’s because someone who setup sei.co.jp in Azure Entra (aka Azure AD) some how managed to add/claim the domain “example.com” against their companies tenant.
It’s clearly not using the DNS records for discovery because they don’t exist, the only other option I can see is some weird fall through or hard coded value and it seems like an odd one to pick.
I'm willing to bet they were the first user to try and add example.com to their Outlook account, and MS then just assigned it to them without verifying they own the domain.
That’s why example.com states “Avoid use in operations”, not only that could create unnecessary traffic for them as well as leak information as in situations like this.
This is why I never use these IANA-reserved domains like .test, .example, .invalid, .localhost.
I always make up some impossible domains like domain.tmptest
Otherwise you're one DNS "misconfiguration" away from sending dev logs and auth tokens to some random server.
> Since at least February 2020, Microsoft's Autodiscover service has incorrectly routed the IANA-reserved example.com to Sumitomo Electric Industries' mail servers at sei.co.jp, potentially sending test credentials there.
It so happens that in this very specific case your obviously bad choice didn't make anything worse, that doesn't make it a good choice.
"Aha, the defective trucks only cause injuries to people who have their hands on the wheel at highway speeds, but I've never bothered holding the wheel at high speed, I just YOLO so I wouldn't be affected"
If people had used IANA's reserved TLDs they too would be unaffected because although Windows will stupidly try to talk to for example autodiscover.example that can't exist by policy and so the attempt will always fail.
As others have pointed out, using 'tmptest' works until someone buys tmptest -- unlikely, but people will buy anything these days.
I always use the ISO-3166 "user-assigned" 2-letter codes (AA, QM-QZ, XA-XZ, ZZ), with the theory being that ISO-3166 Maintenance Agency getting international consensus to move those codes back to regular country codes will take longer than the heat death of the universe, so using them for internal domains is probably safe.
According to it, it seems that if someone registers autodiscover.com then example.com lacking autodiscover.example.com will make Outlook try checking if autodiscover.com has an entry.
Would that really make a difference in this case? It's a configuration error / bug in Microsoft's discovery server, they could have a fallback that goes "any unknown address, return this .jp address".
This is the same company that mishandled the Office brand (abandoned it) and is mishandling the Xbox brand (what even is an Xbox anymore?). Are we surprised?
According to it, it seems that if someone registers autodiscover.com then example.com lacking autodiscover.example.com will make Outlook try checking if autodiscover.com has an entry.
gruez|1 month ago
Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account? I'm sure they pinky promise they keep your credentials secure, but this feels like it breaks all sorts of security/privacy expectations.
dspillett|1 month ago
Not just an “outlook account” - any account in outlook, with default settings at least.
I run a mail server, mainly for me but a couple of friends have accounts on there too, and a while ago one friend reported apparently being locked out and it turned out that it was due to them switching Outlook versions and it was connecting via a completely different address to those that my whitelists expected sometimes at times when they weren't even actively using Outlook. Not only were active connections due to their interactive activity being proxied, but the IMAP credentials were stored so the MS server could login to check things whenever it wanted (I assume the intended value-add there is being able to send new mail notifications on phones/desktops even when not actively using mail?).
> but this feels like it breaks all sorts of security/privacy expectations.
It most certainly does. The behaviour can be tamed somewhat, but (unless there have been recent changes) is fully enabled by default in newer Outlook variants.
The above-mentioned friend migrated his mail to some other service in a huf as I refused to open my whitelist to “any old host run by MS” and he didn't want to dig in to how to return behaviour back to the previous “local connections only, not sending credentials off elsewhere where they might be stored”.
brulx126|1 month ago
https://www.xda-developers.com/privacy-implications-new-micr...
butvacuum|1 month ago
It looks like Microsoft Edge had the _ability to disable_ this added in 2020 or 2021, but it isn't currently the default and the Group Policy unintuitively only applies to unencrypted HTTP Connections.
thedanbob|1 month ago
tga|1 month ago
Already many years ago I remember installing a firewall on my phone and noticing in surprise that Outlook was not connecting at all to my private mail server, but instead only sending my credentials to their cloud and downloading messages from there.
The only Android mail client not making random calls to cloud servers was (back then) K-9 Mail.
dec0dedab0de|1 month ago
Neil44|1 month ago
nhinck2|1 month ago
DANmode|1 month ago
1718627440|1 month ago
GranPC|1 month ago
Wait, does their autodetect send email and password to their servers, instead of just domain???
stronglikedan|1 month ago
technion|1 month ago
https://lolware.net/blog/2020-09-02-autodiscover-circus/
unknown|1 month ago
[deleted]
irusensei|1 month ago
Working on Linux automation systems we would need to make sure to disable anything related to Avahi in our images otherwise name resolution would fail for some customers.
ndriscoll|1 month ago
It's like when .dev became a gTLD, knowingly breaking a bunch of setups for a mix of vanity and a cash grab. Obviously dropped the ball on the engineering side.
szszrk|1 month ago
Support patiently explained .local is reserved for something else and kindly provided Wikipedia links.
They never responded why they used .local in their docs, trainings, webinars they provided, though :)
p_ing|1 month ago
philo23|1 month ago
It’s clearly not using the DNS records for discovery because they don’t exist, the only other option I can see is some weird fall through or hard coded value and it seems like an odd one to pick.
Thaxll|1 month ago
Daviey|1 month ago
irusensei|1 month ago
emmelaich|1 month ago
Not quite true, SMTP will use the A record if there is no MX.
dpifke|1 month ago
andreldm|1 month ago
charles_f|1 month ago
binaryturtle|1 month ago
philipwhiuk|1 month ago
Neil44|1 month ago
hu3|1 month ago
I always make up some impossible domains like domain.tmptest
Otherwise you're one DNS "misconfiguration" away from sending dev logs and auth tokens to some random server.
> Since at least February 2020, Microsoft's Autodiscover service has incorrectly routed the IANA-reserved example.com to Sumitomo Electric Industries' mail servers at sei.co.jp, potentially sending test credentials there.
tialaramex|1 month ago
"Aha, the defective trucks only cause injuries to people who have their hands on the wheel at highway speeds, but I've never bothered holding the wheel at high speed, I just YOLO so I wouldn't be affected"
If people had used IANA's reserved TLDs they too would be unaffected because although Windows will stupidly try to talk to for example autodiscover.example that can't exist by policy and so the attempt will always fail.
dc396|1 month ago
I always use the ISO-3166 "user-assigned" 2-letter codes (AA, QM-QZ, XA-XZ, ZZ), with the theory being that ISO-3166 Maintenance Agency getting international consensus to move those codes back to regular country codes will take longer than the heat death of the universe, so using them for internal domains is probably safe.
jsheard|1 month ago
xaerise|1 month ago
It is reserved by ICANN since 2024-07-29.
https://en.wikipedia.org/wiki/.internal https://www.ietf.org/archive/id/draft-davies-internal-tld-00...
whizzter|1 month ago
https://www.akamai.com/blog/security/autodiscovering-the-gre...
According to it, it seems that if someone registers autodiscover.com then example.com lacking autodiscover.example.com will make Outlook try checking if autodiscover.com has an entry.
It's just a braindead system.
Cthulhu_|1 month ago
larrik|1 month ago
wongarsu|1 month ago
onionisafruit|1 month ago
butz|1 month ago
1vuio0pswjnm7|1 month ago
The IPv4 for example.com used to be 93.184.216.34
Was there an announcement somewhere
1vuio0pswjnm7|1 month ago
unknown|1 month ago
[deleted]
godzillabrennus|1 month ago
unknown|1 month ago
[deleted]
rurban|1 month ago
Maybe some of their targets did use example.com for some probing, and the NSA had a hand in Sumitomo Electric Industries' mail server.
whizzter|1 month ago
https://www.akamai.com/blog/security/autodiscovering-the-gre...
According to it, it seems that if someone registers autodiscover.com then example.com lacking autodiscover.example.com will make Outlook try checking if autodiscover.com has an entry.
It's just a braindead system.