[GranPC]

> Microsoft's Autodiscover service misconfiguration can be confirmed via curl -v -u "email@example.com:password" "https://prod.autodetect.outlook.cloud.microsoft/autodetect/d..."

Wait, does their autodetect send email and password to their servers, instead of just domain???

[stronglikedan]

See replies to a similar question here (in case you haven't already): https://news.ycombinator.com/item?id=46732623

[technion]

Autodiscover has always been an interesting security problem. I wrote this years ago:

https://lolware.net/blog/2020-09-02-autodiscover-circus/