(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Me, elsewhere

GitHub
parseword
Miscellaneous public code

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)

autodiscover.xml as an Indicator of Attack

Posted March 31, 2018 by shaun

Today I saw an interesting IMAP probe. These are usually background noise, occurring by the hundreds each day and mostly trying weak passwords against non-existent accounts. This particular login attempt was made on a valid alias, so I took a few seconds to dig deeper, and found an indicator of attack I hadn't seen before.

Immediately preceding the IMAP authentication attempt, the same IP address had issued one HTTP GET request and two HTTP POST requests for /autodiscover/autodiscover.xml on the same domain (the file doesn't exist). Not being familiar with autodiscover.xml, I looked up the documentation and it's a WPAD-like configuration discovery scheme for Outlook. Aside from people whose own Outlook clients and/or Exchange servers are spamming their own web server logs with requests, I couldn't find many people talking about seeing it in their httpd logs. autodiscover.xml doesn't seem to be commonly scanned, spidered, or abused.

The HTTP and IMAP requests all originated at an IP allocated to mail.ru: 5.61.237.36. As far as I can tell, mail.ru doesn't offer any services that hand out IPs to their users, so this traffic can be attributed directly to mail.ru equipment. At first I suspected mail.ru must have an "add a remote account" feature like Gmail does, and someone figured out how to script it to run IMAP probes. Clever! mail.ru does, in fact, have some capability to collect mail from third-party accounts; I managed to find an English help page about using it for POP3. There's no mention of IMAP here, but their English documentation may be lacking or out of date.

If an attacker was automating scans through the mail.ru service, though, I'd expect to find more recorded incidents. There are only a smattering of reports on AbuseIPDB, and none on blocklist.de. The lack of widespread abuse activity leads me to believe this isn't an automated scan at all, but a targeted, manual probe. Someone is using mail.ru's remote collection feature to individually target specific accounts, masking the origin of the attack behind mail.ru's infrastructure.

If you don't use Outlook/Exchange and don't get any legitimate web requests for autodiscover.xml, it might be useful to add that string to your IDS or your log watcher.


XML card image by RRZEicons CC BY-SA 3.0, via Wikimedia Commons



Recent articles

📰 Generating vanity DNSSEC key tags

📰 DDoS involving forged packets from 23.225.141.70

📰 Website integrity monitoring through version control

📰 SpamAssassin 3.4.2 fixes security problems, adds HashBL and phishing plugins

📰 Bug or turf war? ICQ via Pidgin now fails with "startOSCARSession: Request Timeout"

📰 🎂

📰 SFSQuery, a PHP class to query the StopForumSpam API and DNSBL

📰 Resolving portmaster error "pkg-static: automake-1.16.1 conflicts with automake-wrapper-20131203"

📰 Resolving LibreNMS error "RuntimeException: The only supported ciphers are AES-128-CBC and AES-256-CBC with the correct key lengths"

📰 1.1.1.1: Fast, but not so accurate (yet)

📰 autodiscover.xml as an Indicator of Attack

📰 Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach

📰 Let's Encrypt Readies for Certificate Transparency with Embedded SCTs

📰 Evaluating DNSBL Effectiveness with Postfix Logs

📰 Resolving subversion error E145001: Node has unexpectedly changed kind

▲ Back to top | Permalink to this page