$this = (new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


autodiscover.xml as an Indicator of Attack

Posted March 31, 2018 by shaun

Today I saw an interesting IMAP probe. These are usually background noise, occurring by the hundreds each day and mostly trying weak passwords against non-existent accounts. This particular login attempt was made on a valid alias, so I took a few seconds to dig deeper, and found an indicator of attack I hadn't seen before.

Immediately preceding the IMAP authentication attempt, the same IP address had issued one HTTP GET request and two HTTP POST requests for /autodiscover/autodiscover.xml on the same domain (the file doesn't exist). Not being familiar with autodiscover.xml, I looked up the documentation and it's a WPAD-like configuration discovery scheme for Outlook. Aside from people whose own Outlook clients and/or Exchange servers are spamming their own web server logs with requests, I couldn't find many people talking about seeing it in their httpd logs. autodiscover.xml doesn't seem to be commonly scanned, spidered, or abused.

The HTTP and IMAP requests all originated at an IP allocated to mail.ru: 5.61.237.36. As far as I can tell, mail.ru doesn't offer any services that hand out IPs to their users, making it likely that the traffic came directly from mail.ru equipment. At first I suspected mail.ru must have an "add a remote account" feature like Gmail does, and someone figured out how to script it to run IMAP probes. Clever! mail.ru does, in fact, have some capability to collect mail from third-party accounts; I managed to find an English help page about using it for POP3. There's no mention of IMAP here, but their English documentation may be lacking or out of date.

If an attacker was automating scans through the mail.ru service, though, I'd expect to find more recorded incidents. There are only a smattering of reports on AbuseIPDB, and none on blocklist.de. The lack of widespread abuse activity leads me to believe this isn't an automated scan at all; instead, someone is using mail.ru's remote collection feature to manually target specific accounts.

If you don't use Outlook/Exchange and don't get any legitimate web requests for autodiscover.xml, it might be useful to add that string to your IDS or your log watcher.



Recent articles

📰 Unusual HTTP POST traffic from 75.108.75.42

📰 1.1.1.1: Fast, but not so accurate (yet)

📰 autodiscover.xml as an Indicator of Attack

📰 Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach

📰 Let's Encrypt Readies for Certificate Transparency with Embedded SCTs

📰 Evaluating DNSBL Effectiveness with Postfix Logs

📰 Russian/Ukrainian Referer Spam Campaign IPs

📰 Resolving subversion error E145001: Node has unexpectedly changed kind

📰 Installing PHP 7.2 with pthreads on CentOS 6

📰 LocalStorage kills another site, or: Working around Zap2it's new interface

📰 A new DNS geolocation service from PowerDNS

📰 Firefox's privacy.resistFingerprinting option reports a very old User-Agent (50.0)

▲ Back to top | Permalink to this page