SOPA Images/LightRocket via Getty Images
“We are aware of such reports,” a Microsoft spokesperson told me, “and are taking appropriate action as needed to help protect services and customers.” Those reports are serious—the take-over of Microsoft subdomains to convince users they are on Microsoft websites and can safely share their passwords. An attacker sitting behind those subdomains stealing passwords to hijack accounts. Now we have a proof of concept video that shows how simple this is in practice.
New research from Numan Ozdemir and Ozan Agdepe of Vullnerability.com, shared here for the first time, shows the risk this now presents to users worldwide. There are no reports these exploits have been exploited in the wild yet. But the vulnerability is out there and is now in the public domain. It is only a matter of time before bad actors seek to exploit the issue and put users at risk.
“Enterprise sprawl and a lack of internal domain controls has created a nightmare,” cyber expert Ian Thornton-Trump tells me. “I suspect in the wake of this, Microsoft will need to implement significant changes in how domains are managed.”
Exposing the risks of hijacking Microsoft subdomains is not new—it’s a problem that dates back years. But two things are new. First, the sheer scale of the exposure. There are many hundreds of such domains open to hijack—I have seen a list of 670 that researchers say are now at risk. “You can’t protect it if you don’t know about it,” Thornton-Trump warns. And, second, bad actors are starting to notice. As ZDNet reported last month, “one spam group has figured out they could hijack Microsoft’s subdomains and boost their spammy content by hosting it on a reputable domain.”
As risks go, “spammy content” is relatively benign. The real risk here is the combination of seemingly legitimate Microsoft domains and phishing campaigns designed to steal credentials and user data. You get a message purporting to be from Microsoft. The link takes you to a legitimate domain and an encrypted website. You are asked for your username and password. You will almost certainly fall victim.
Checking for spoofed domain names is one of the key flags you look for to check that you’re not being spoofed. Not only does a legitimate domain fail to trigger that flag, it goes further, reassuring a user who is then less likely to look for other flags.
Security researcher Numan Ozdemir shared his findings with me, which I validated with independent researchers. He says all findings were shared with Microsoft. According to Ozdemir, he and fellow researcher Ozan Agdepe have an automated tool to identify exposed Microsoft subdomains. Once those are identified, the researchers claim they can hijack them, stealing cookies and credentials and bypassing open redirection protection: “login.live.com redirects to all office.com… and all Microsoft subdomains seem to be whitelisted.”
“Subdomain takeover attacks generally doesn’t require any technical expertise,” Ozdemir told me. “The attacker reviews DNS records and HTTP responses, then claims that subdomain with a hosting provider. Users will not know if a subdomain is hijacked by attackers or managed by a system admin. It means you may be surfing an attacker’s network while you think you are on an official website.”
Ozdemir warns that the vulnerability can be exploited in multiple ways, tailoring relevant subdomains for the purpose: Tricking users into installing browser extensions and updates; spear-phishing to ask users to upload information onto a seemingly legitimate project work-share; pushing out malware to target devices. For obvious reasons, that list of 670 vulnerable domains is not being published here.
But what about systems to protect users from such attacks? Hijacked domains, security expert Sean Wright tells me, “will also likely impact on spam detection which rely on things such as domains.” We are talking about subdomains sitting underneath office.com and live.com, windows.com and skype.com, microsoft.com and xbox.com. And some of the subdomains themselves hint at identity assurance and security. This isn’t rocket science.
“Subdomain takeovers are bad news—how do users distinguish good from bad?” Wright warns. “They greatly increase the ability to perform phishing.” As this video from Ozdemir and Agdepe shows, an exploit can be crafted to steal credentials and cookies using a hijacked Microsoft subdomain and an encrypted website:
For security researcher Mike Thompson, “the open redirect is the worst of the two [vulnerabilities]. This needs a response from Microsoft on how they’re securing, or not securing their subdomains. Open redirect is pretty much a schoolboy error.”
Microsoft’s advice is for users to look for crafted links in emails and messages as an initial red flag that it is an attack. “Specifically crafted links?” Thompson says, “like pretty much every phishing attack. It’s so easy to dupe a user. Many attackers try clever things like changing unicode characters in domain names and so on. No need to do that here, when you’re using a perfectly legit domain.”
“Subdomain takeovers are not a good look for an organization,” Wright says, “especially larger organizations that should know better.” Looking at the video of this exploit, he adds “this POC helps put that into perspective. An ability to steal credentials and session related cookies should certainly be a cause for concern. I hope Microsoft pays more attention to this issue with these POCs.”
Any further comments from Microsoft will be added here.