Security researcher investigated critical vulnerabilities affecting Microsoft products. Such as Microsoft Outlook, Microsoft Store, or Microsoft Sway account simply via the victim clicking on a link.
These vulnerabilities due to misconfiguration of the subdomain. Microsoft bug hunter Sahad Nk identified the bug and reported to Micros of in June and they are addressed with the November updates.
Subdomain takes over is the process of registering a non-existing domain and gain access over the domain.
The researcher found that success.office.com was pointing to Azure with its CNAME record. The vulnerability is that the host is the down. So they registered the sub-domain success center-msprod and take-over the subdomain(success.office.com).
Improper OAuth Checks
Microsoft uses WS Federation for it’s the implementation of a centralized login system for most of the applications including Outlook, Sway, Microsoft Store etc.
wreply in WS Fed is the counterpart of in
If a user clicked on a bad link it will log in the Microsoft account and create an access token. The reason is all subdomains of *.office.com are trusted.
Researcher passed a malicious URL that passes the access tokens to the subdomain controlled by him. If the server controlled by an attacker, then it puts millions of user under risk.
Using the session token attacker access to the victim account without credentials of millions of users.