Vullnerability researchers found about 700 problematic Microsoft subdomains and captured one of them for demonstration.Michel Gaschet, an information security specialist, reported about the problem back in February, and has been informing Microsoft of its many vulnerable subdomains for many years.
“The company has thousands of subdomains at its disposal, many of which can be hacked and used to attack users, employees of the company itself, as well as to distribute spam, malware, phishing attacks and other types of fraud”, – wrote Michel Gaschet.
Most often, in such cases the talk is about subdomains with incorrectly configured DNS records. Therefore, DNS records for a subdomain may point to a domain that no longer exists. As a result, anyone who uses this non-existent domain will be able to take control of the subdomain.
Thus, an attacker can redirect visitors from the captured subdomain to a phishing site, steal their credentials and other confidential information, trick them into installing malware, and so on.
For example, the mybrowser.microsoft.com subdomain points to webserver9000.azurewebsites.net although this server instance has been closed long time ago. Exactly in such cases, attackers can take advantage of the subdomains They set up an Azure account and request the hostname webserver9000 or webserver9000.azurewebsites.net. As a result, when people go to mybrowser.microsoft.com, they are redirected to the criminals-owned webserver9000.azurewebsites.net, where victims can be offered, for example, downloading malware under the guise of a browser update.
“Most often, the company either ignores these messages, or responds to problems of large subdomains, such as cloud.microsoft.com and account.dpedge.microsoft.com, but ignores smaller ones”, – reported Michel Gaschet.
Now, Vullnerability company specialists have spoken about the same problem from their position. They created an automated system that scans all subdomains for a number of important Microsoft domains. This scan revealed more than 670 subdomains that can be captured according to the described above scheme.
It is not yet known whether hackers are investigating Microsoft subdomains for this vulnerability, but there is definitely evidence that attackers scan network for vulnerable Microsoft Exchange servers.
The experts attached a video to their report demonstrating how the attack works.
Researchers notified Microsoft about a dozen of vulnerable subdomains, and the company took measures to prevent their capture. Among them were: identityhelp.microsoft.com, mybrowser.microsoft.com, webeditor.visualstudio.com, data.teams.microsoft.com and sxt.cdn.skype.com.
However, the researchers said they did not intend to disclose the full list, which includes another 660+ problem subdomains, until the company included these types of vulnerabilities in its bug bounty program.