autodiscover.xml as an Indicator of Attack
Today I saw an interesting IMAP probe. These are usually background noise, occurring by the hundreds each day and mostly trying weak passwords against non-existent accounts. This particular login attempt was made on a valid alias, so I took a few seconds to dig deeper, and found an indicator of attack I hadn't seen before.
Immediately preceding the IMAP authentication attempt, the same IP address had issued one HTTP GET request and two HTTP POST requests for
/autodiscover/autodiscover.xml on the same domain (the file doesn't exist). Not being familiar with
autodiscover.xml, I looked up the documentation and it's a WPAD-like configuration discovery scheme for Outlook. Aside from people whose own Outlook clients and/or Exchange servers are spamming their own web server logs with requests, I couldn't find many people talking about seeing it in their httpd logs.
autodiscover.xml doesn't seem to be commonly scanned, spidered, or abused.
The HTTP and IMAP requests all originated at an IP allocated to mail.ru: 220.127.116.11. As far as I can tell, mail.ru doesn't offer any services that hand out IPs to their users, so this traffic can be attributed directly to mail.ru equipment. At first I suspected mail.ru must have an "add a remote account" feature like Gmail does, and someone figured out how to script it to run IMAP probes. Clever! mail.ru does, in fact, have some capability to collect mail from third-party accounts; I managed to find an English help page about using it for POP3. There's no mention of IMAP here, but their English documentation may be lacking or out of date.
If an attacker was automating scans through the mail.ru service, though, I'd expect to find more recorded incidents. There are only a smattering of reports on AbuseIPDB, and none on blocklist.de. The lack of widespread abuse activity leads me to believe this isn't an automated scan at all, but a targeted, manual probe. Someone is using mail.ru's remote collection feature to individually target specific accounts, masking the origin of the attack behind mail.ru's infrastructure.
If you don't use Outlook/Exchange and don't get any legitimate web requests for
autodiscover.xml, it might be useful to add that string to your IDS or your log watcher.