Microsoft Exchange Autodiscover Credential Harvest for 2026-03-12

Last Updated: 12:11 UTC

Requests to /Autodiscover/Autodiscover.xml harvest Exchange credentials from Outlook clients that auto-negotiate mail settings. Any host responding to this path can capture NTLM or Basic auth credentials. Also used in ProxyLogon reconnaissance.

CVE References

CVE-2021-26855

MITRE ATT&CK

Tactic: Credential Access (TA0006)
Technique: T1114.002 — Remote Email Collection

Observed URIs

  • /Autodiscover/Autodiscover.xml

Attackers by Country

IP Address : ASN : City/Provider

Share on: