Microsoft Outlook Incorrectly Routes Example.com to Real Company's Mail Servers
By
mrled
Hot, fresh, and worth queueing round the block for.
Summary
Microsoft's Outlook email client has been incorrectly routing the IANA-reserved example.com domain to Sumitomo Electric Industries' mail servers since at least February 2020. When users set up [email protected] as a dummy account, Outlook's Autodiscover service automatically configures it to use Sumitomo's servers (imapgms.jnet.sei.co.jp and smtpgms.jnet.sei.co.jp), potentially sending test credentials to a real company's infrastructure. This violates the purpose of example.com as a reserved domain for documentation and testing that should never resolve to actual services.
Key quotes
· 3 pulledSince at least February 2020, Microsoft's Autodiscover service has incorrectly routed the IANA-reserved example.com to Sumitomo Electric Industries' mail servers at sei.co.jp, potentially sending test credentials there.
Outlook consistently auto-configured it to use imapgms.jnet.sei.co.jp (IMAP) and smtpgms.jnet.sei.co.jp (SMTP) despite example.com being an IANA-reserved domain that should not resolve to real services.
The same behavior appeared on different machines, profiles, networks, and even different Microsoft accounts, suggesting this is a systemic issue with Microsoft's Autodiscover service rather than a local configuration problem.
You might also wanna read
Microsoft zero-day feud escalates as researcher threatens major exploit release on July 14
The ongoing feud between Microsoft and security researcher Nightmare Eclipse (aka Chaotic Eclipse) has escalated, with the researcher having
theregister.com·23h agoMicrosoft zero-day feud escalates as researcher threatens major exploit release on July 14
The ongoing feud between Microsoft and security researcher Nightmare Eclipse (aka Chaotic Eclipse) has escalated, with the researcher having
theregister.com·23h ago
Microsoft condemns uncoordinated Windows zero-day releases, researcher threatens further disclosures
Microsoft has responded to a campaign of uncoordinated Windows zero-day vulnerability releases by a pseudonymous researcher known as Nightma
therecord.media·1d ago
Microsoft criticizes uncoordinated disclosure of six zero-day vulnerabilities
Microsoft has criticized the irresponsible disclosure of six zero-day vulnerabilities in its products, named BlueHammer, GreenPlasma, MiniPl
briefly.co·2d ago
Microsoft threatens legal action over unpatched Windows zero-day disclosures
Microsoft is threatening legal action against security researchers who publicly disclose unpatched Windows zero-day vulnerabilities. The com
heise.de·2d ago
AI discovers 271 Firefox vulnerabilities, signaling security debt repayment
Mozilla discovered 271 previously unknown Firefox vulnerabilities in just days using AI-powered testing, bugs that millions of automated tes