Microsoft Exchange Autodiscover Credential Harvest for 2026-03-04
Mar 04, 2026
WebExploit
Last Updated: 12:10 UTC
Requests to /Autodiscover/Autodiscover.xml harvest Exchange credentials from Outlook clients that auto-negotiate mail settings. Any host responding to this path can capture NTLM or Basic auth credentials. Also used in ProxyLogon reconnaissance.
CVE References
MITRE ATT&CK
Tactic: Credential Access (TA0006)
Technique: T1114.002 — Remote Email Collection
Observed URIs
/Autodiscover/Autodiscover.xml
Attackers by Country
IP Address : ASN : City/Provider
- 198.167.197.194 : AS39287 ab stract : Sweden