Comment by GranPC
1 month ago
> Microsoft's Autodiscover service misconfiguration can be confirmed via curl -v -u "email@example.com:password" "https://prod.autodetect.outlook.cloud.microsoft/autodetect/d..."
Wait, does their autodetect send email and password to their servers, instead of just domain???
See replies to a similar question here (in case you haven't already): https://news.ycombinator.com/item?id=46732623
Autodiscover has always been an interesting security problem. I wrote this years ago:
https://lolware.net/blog/2020-09-02-autodiscover-circus/