Skip to Content

Microsoft Autodiscover Misrouting of example.com Reveals Configuration Oversight

An investigation into why Microsoft’s Autodiscover service returned Sumitovo Electric hostnames for the test domain example.com, the timeline of the issue, and the broader lessons for cloud service configuration.
31 January 2026 by
TechStora Editorial Board

Background

Under RFC2606 the domain example.com is reserved for documentation and testing. It should never resolve to real services or expose operational data.

What Happened

For an extended period, Microsoft’s Autodiscover endpoint returned JSON responses that listed mail server hostnames belonging to the Japanese industrial‑cable company Sumitomo Electric (sei.co.jp). The responses were triggered when test credentials using example.com were submitted.

  • Requests initially produced no explanation from Microsoft.
  • Traffic was routed to Sumitomo‑operated servers rather than any Microsoft infrastructure.
  • The behavior ceased by early Monday morning, but Microsoft did not immediately explain the cause.

Technical Details

The Autodiscover service mistakenly included suggested server information for the reserved domain, violating RFC2606 expectations. The JSON payload contained entries such as:

  • mail.sei.co.jp
  • outlook.sei.co.jp

These hostnames were unrelated to Microsoft 365 or any email service Microsoft provides.

Impact and Microsoft’s Response

While no evidence of malicious intent or credential leakage was found, the incident raised concerns about:

  • Long‑standing configuration drift within a critical cloud service.
  • Insufficient auditing of Autodiscover records.
  • Potential exposure of internal routing logic.

Microsoft later confirmed that the service had been updated to stop providing server suggestions for example.com and that the investigation remained ongoing.

Lessons Learned

  • Reserved domains must be explicitly excluded from production configurations.
  • Regular audits of autodiscover and DNS records are essential to prevent hidden misconfigurations.
  • Transparent communication from service providers helps mitigate user concerns during incidents.

Conclusion

The episode serves as a reminder that even large cloud providers can harbor legacy settings that surface in unexpected ways. Ongoing vigilance and rigorous testing are required to ensure that reserved domains like example.com remain purely for documentation purposes.