Be careful with any email sent from a microsoft.com domain. Multiple Microsoft subdomains hijacked; 650 domains affected

Multiple information security training firms, researchers and instructors recently reported the finding of a serious vulnerability in more than 600 subdomains belonging to Microsoft; the successful exploitation of this flaw would allow the hijacking of these sites for malicious purposes. Despite constant reports, the tech giant showed no interest in repairing this flaw.

Microsoft’s lack of interest in this issue, and the potential intervention of threat actor groups, led security firm Vulnerability researchers to hijack some of the compromised domains, holding Microsoft accountable for bad DNS practices.

In total, the researchers managed to take control of ten subdomains, including addresses such as:

  • mybrowser.microsoft.com
  • data.teams.microsoft.com
  • admin.recognition.microsoft.com
  • identityhelp.microsoft.com, among others

In addition, participants from the information security training mention that the total number of domains exposed has increased to 670.

In their report, experts mention that it was really easy to detect where subdomains were supposed to redirect, as Microsoft hosts them on Azure; for example, mybrowser.microsoft.com is linked to browserver.azurewebsites.net. Researchers focused on subdomains that are not linked to some website.

When Microsoft stops using a particular subdomain, DNS registration was left as is, so all threat actors require is to create an Azure account and request browserver.azurewebsites.net, allowing them to host any kind of content on the subdomain, such as websites infested with invasive or malicious advertising or Microsoft phishing pages to extract usernames and passwords from employees and customers of the company.

Information security training instructors ensured that this is a really simple procedure and requires minimal technical knowledge (in addition, completing the hijacking takes less than an hour), so the possible malicious use of these subdomains is a real threat.

As already mentioned, the company does not seem to be interested in correcting this cybersecurity threat, even though researchers claim that this would be a very simple process for Microsoft. According to the International Institute of Cyber Security (IICS), this remains a good time to secure exposed subdomains, although entry-to-scene for cybercriminals may be a matter of time.