Microsoft Accidentally Routed Outlook Email Credentials to Japanese Domains
Microsoft inadvertently routed email setup traffic for accounts on arbitrary domains-including those not owned by the company-to subdomains belonging to sei.co.jp, a Japanese IT firm. The issue, which surfaced earlier this month, potentially exposed user credentials to an unintended third party.
The problem was first reported by security researcher Michael Taggart, who noticed the misrouting while setting up test accounts in Outlook. As detailed in a report by Ars Technica, adding accounts with domains like “example.com” and “test@example.com” resulted in outlook attempting to connect to imapgms.jnet.sei.co.jp and smtpgms.jnet.sei.co.jp for email configuration.
Here’s an example of the configuration data observed:
[{"name":"example.com","host":"imapgms.jnet.sei.co.jp","port":993,"encryption":"ssl","username":"email@example.com","validated":false},{"name":"example.com","host":"smtpgms.jnet.sei.co.jp","port":465,"encryption":"ssl","username":"email@example.com","validated":false}]The root cause appears to be a misconfiguration within Microsoft’s Autodiscover service, which is designed to automatically configure email client settings. Autodiscover is a feature of Microsoft Exchange Server that allows email clients to discover server settings without manual configuration.
“I’m admittedly not an expert in Microsoft’s internal workings, but this appears to be a simple misconfiguration,” Taggart stated on the social media platform Mastodon. “The result is that anyone who tries to set up an Outlook account on an example.com domain might accidentally send test credentials to those sei.co.jp subdomains.”
When questioned about the issue, a Microsoft representative initially offered no description. However, by Monday, the improper routing had ceased. As of Monday morning,the representative still had not provided a reason for the misconfiguration.
While the issue was resolved relatively quickly, the incident raises concerns about the potential for unintended data exposure due to configuration errors in widely used services like Microsoft Outlook. It highlights the importance of robust testing and monitoring of Autodiscover and similar automated configuration systems.