Youre signed out.Thanks to James Cope and Rajeev Kapur of Sophos IT for their help with this article.September 2018 release. If playback doesnt begin shortly, try restarting your device. Click OK in the Outlook Options dialog box.Outlook 2016 Beginner Tutorial. Using the drop-down lists in the Replies and forwards group, specify whether Outlook should include the original message text when you reply to or forward a message. In the Outlook Options dialog box, choose the Mail tab and then scroll to see the Replies and forwards group: 3.
Outlook 2016 Comments Password And SendingClick on Disable Autodiscover, choose and turn on Exclude the query for the AutoDiscover domain. The data returned by that SRV record is, like the previous two items, under the control of the owner of the naksec.test domain, given that the DNS name is a subdomain of naksec.test.)According to Guardicore, however, in their tests – perhaps conducted with an older version of Windows and Outlook, but we’re not sure – there was an extra step in the process, namely that if both of these sites failed…Autodiscover.naksec.test Administrative Templates > Microsoft Outlook 2016 > Account Settings > Exchange. Opening form in setup process.If you’ve ever gone through the process, you’ve probably seen the two simple setup screens above, where you put in your email address, tell it you’re looking for an Exchange server, and Outlook goes out and autodiscovers the configuration details for you.Microsoft’s autodiscover process can include numerous different steps, as explained in its own Autodiscover documentation, and different apps may use slightly different variants on the Microsoft’s central theme.For email accounts, Autodiscover typically involves creating a short list of URLs where configuration file data can be expected, and then trying to access those URLs and fetch the setup data that’s stored there, until one of them succeeds (or all of them fail).For an email address such as as shown above, the documentation suggests that you’d look for the following configuration files:Indeed, when we tried setting up Outlook 2016 on a network with no autodiscover files or servers present, and where we therefore expected Outlook to go through its entire repertoire of possible autodiscover file locations, we observed it looking for the following sequence of network names within our own domain:(The last request above was a DNS lookup known as an SRV record, a common way of looking up server names for specific services, including autodiscover, in Microsoft domains. The numbers below represented the following: an email sent from Outlook 2016 for Mac using a.Researchers at a cybersecurity startup called Guardicore just published a report about an experiment they conducted over the past four months……in which they claim to have collected hundreds of thousands of Exchange and Windows passwords that were inadvertently uploaded to their servers by unsuspecting Outlook users from a wide range of company networks.The problem, according to the researchers, is down to a Microsoft feature known as Autodiscover, which is used by various parts of Windows, notably Outlook, to simplify the setup of new accounts.For example, if I want to hook up Outlook on my laptop to “the Exchange server” that’s run by IT, I don’t need to know and type in a whole pile of technical specifications correctly before I get as far as setting up a password and sending my first email. The minimum supported macOS for Office 2016 for Mac is 10.10 (Yosemite).Select a small group of fonts to install, and then click Add. It will be supported with security updates and bug fixes, as needed, until October 13, 2020.(FWIW, at the time of writing , SophosLabs blocks autodiscover.com as a suspicious domain anyway, along with various other domains that have apparently already been associated with dubious data collection, though I don’t have a complete list ATM.)Hope this helps. Because there are too many possibilities now that top-level domains aren’t limited to countries but include companies, brand names, activities and more), you could simply limit your list to domains on which your company does operate email domains, given that users are unlikely – though admittedly not impossible – that a user looking to set up an account on “yourname.example.com” would type in “yourname.example.uk” by mistake… and, of course, if they did that then they would be misdirecting their traffic to a domain someone else could already have registered anyway.In other words, if you are worried about yourname.example.com” turning into “autodiscover.com” even though a user did everything correctly, because your true domain is “example.com”, I suggest that blocking “autodiscover.com” is probably a good starting point if you can’t block all of them. (Once again, we also tested this behaviour with realistic external TLD and 2LD domains.)So although we couldn’t get our own workaround (based on Microsoft’s documentation) to work…… we simply couldn’t get the “Autodiscover Great Leak” hack to work in the first place either (based on Guardicore’s paper).Whether that means you’re safe as long as you are using Office 2016, and Guardicore is wrong, we can’t be sure.We can only tell you that it’s what we observed on a standalone Windows 10 Enterprise computer when we tried to connect to a non-existent Exchange server and watched Outlook run through its autodiscover list – our result was different from the behaviour described by Guardicore.If you have earlier versions of Outlook, or other email clients that you can try on your own network while monitoring the network requests from the relevant app, we’d love you to share your results below!Follow on Twitter for the latest computer security news.Follow on Instagram for exclusive pics, gifs, vids and LOLs!I’m afraid we’re not in a position to give product support on Naked Security… you’ll need to go through your ususal support channels.If you can’t cover all “autodiscover.*” domains in your blocklist (e.g. Co.za.)The good news is that we were unable to provoke Outlook to visit any domains that would have been outside our own network.In other words, using an email domain of naksec.test, we were unable to get Outlook to try autodiscover.test, even after autodiscover.naksec.test had failed. (We also tried with realistic external TLD and 2LD domains, e.g.fr and. What we observedAs simple as the Group Policy workaround might sound, and as much as Microsoft’s own help file for Office group policy settings seems to reassure you that the setting we’ve listed will suppress the use of “autodiscover” domain names……we have to say that this wasn’t how things worked out in our own (necessarily brief) tests.The bad news is that, even after setting the excludehttpsautodiscoverdomain option, we nevertheless observed Outlook 2016 trying to locate autodiscover.naksec.test in our experiments.![]()
0 Comments
Leave a Reply. |
Details
AuthorJason ArchivesCategories |