> Microsoft's Autodiscover service misconfiguration can be confirmed via curl -v -u "[email protected]:password" "https://prod.autodetect.outlook.cloud.microsoft/autodetect/d..."

Wait, does their autodetect send email and password to their servers, instead of just domain???