Microsoft bug exposes 400 million Outlook and Office 360 accounts

Share this…


The investigator who discovered the error will be rewarded by the company

Sahad Nk, a digital forensics expert from India and partner in a cybersecurity firm, has received a reward from Microsoft as part of the company’s bug report program thanks to the discovery and reporting of a series of critical vulnerabilities present in Microsoft accounts.

The vulnerabilities were present in the users’ Microsoft accounts, from Office files to Outlook emails, according to digital forensics specialists from the International Institute of Cyber Security. In other words, all kinds of Microsoft accounts (over 400 million) and all kinds of data were exposed to hacking. If chained, the bugs would become the perfect attack vector to access the Microsoft account of any user; all the attacker required was for the user to click on a link.

According to the report published by Sahad Nk, a Microsoft sub-domain ( was not properly configured, allowing it to take control using a CNAME record, a record that connects one domain to another. Using the log, Sahad was able to locate the poorly configured subdomain and link it to his personal Azure instance to get full control of the subdomain and all of its data.

Although this already seems serious by itself, the real problem for Microsoft is that the applications of Office, Sway and Store could be deceived with relative ease to transfer their login tokens to other domains in control of possible attackers when a user logs into their Microsoft account.

As soon as the victim interacts with the specially designed link received by email, it will log into the Microsoft Live registration system. When victims enter their user name, password and 2FA code (if enabled) an account access token will be generated allowing users to login without re-entering their credentials.

If someone gets this access token, it’s like getting user’s credentials itself, the digital forensics experts mentioned. Therefore, an attacker can easily enter the account without alerting the original owner or alerting Microsoft about the unauthorized access.

The malicious link is designed in a way that forces the Microsoft login system to transfer the account token to the controlled subdomain. In this case, the subdomain was controlled by Sahad; however, if a malicious attacker controlled it, it was possible to put a large number of Microsoft accounts at risk. The most disturbing thing is that the malicious link seems authentic because the user is still entering through the legitimate Microsoft login system.

The bug was corrected by Microsoft shortly after receiving the report; the amount of the bounty that the company gave to the expert was not disclosed.