An issue in WPAD proxy automatic configuration was first discovered by Maxim Andreev back in 2015 at the MailRu group security meet-up and then was presented by Maxim Goncharov at BlackHat US 2016 (slides).
I really liked all of the above discoveries and I looked a little in the same direction for other protocols with the same mechanisms. The Lync/Skype for business service was the one of it. Please find the results of this study below.
To understand Lync autodiscovery I highly recommend to read these two articles:
Skype for Business: DNS requirements
Skype for Business and Lync 2013 are similar in how the client finds and accesses services in Skype for Business Server…
Lync 2013 Client Autodiscover
A recent NextHop article explains in some detail the fact that the new Windows Store Lync client only supports the…
To check how many clients are vulnerable to this issue I just registered following domains:
And then started an Nginx to listen what would happen… And the traffic went! It’s about 3168 requests from Jun 19 to Jun 24.
Please the list of vulnerable clients (from User-Agent header):
I sent all the detail to MFST at Jul 14 2017 (MSRC Case 39311 TRK:0461001598) and received back the answer that it’s not an issue.
Based on the team’s analysis of the code and the log you provided, it appears that you are seeing these requests due to the usernames being entered incorrectly. The logins consist of only a username and a TLD (biz, org, info, etc.) with no domain specified. This is not a vulnerability, as user input cannot be controlled to ensure that a valid domain is entered in the request. The one domain that does appear in the log you provided has a misconfigured DNS entry which is why you are seeing the requests.
The End! But I’m still not sure that it’s just a users’ mistypes because of the big number of requests.