In February 2020, we talked about information security specialist Michel Gaschet, who has been informing Microsoft of many of its vulnerable subdomains over the years. The fact is that the company has thousands of subdomains at its disposal, many of which can be hacked and used to attack users, employees of the company itself, as well as to distribute spam, malware, phishing attacks and other types of fraud.
Most often, in such cases, we are talking about subdomains with incorrectly configured DNS records. So, DNS records for a sub-domain can point to a domain that no longer exists. As a result, anyone who uses this non-existent domain will be able to take control of the subdomain. Thus, an attacker will be able to redirect visitors from the captured subdomain to a phishing site, steal their credentials and other confidential information, trick them into installing malware, and so on.
For example, the mybrowser.microsoft.com subdomain points to webserver9000.azurewebsites.net although this server instance has long been closed. It is precisely such cases that attackers can take advantage of. They set up an Azure account and request the hostname webserver9000 or webserver9000.azurewebsites.net. As a result, when people go to mybrowser.microsoft.com, they are redirected to the criminals-owned webserver9000.azurewebsites.net, where victims can be offered, for example, downloading malware under the guise of a browser update.
Gachet wrote that most often the company either ignores these messages or responds to problems of large subdomains, such as cloud.microsoft.com and account.dpedge.microsoft.com, but ignores smaller ones.
Now, Vullnerability specialists have spoken about the same problem from their position. They created an automated system that scans all subdomains for a number of important Microsoft domains. This scan revealed more than 670 subdomains that can be captured as described above. The experts attached a video to their report demonstrating how the attack works.