5.1 Security Considerations for Implementers

There are many possible DNS spoofing attacks. For this reason, clients are strongly advised against using non-SSL URIs unless they have the consent of the user. Administrators are strongly advised to provide Autodiscover data only via HTTPS.