Researcher finds 670 Microsoft subdomains vulnerable to takeover

Years after it was first identified as a possibility, researchers have found it’s still child’s play to hijack subdomains from companies such as Microsoft to use in phishing and malware attacks.

Researchers at Vullnerability.com were able to grab more than 670 subdomains that had previously been used by Microsoft but subsequently forgotten about, including:

• identityhelp.microsoft.com
• mybrowser.microsoft.com
• web.visualstudio.com / webeditor.visualstudio.com
• data.teams.microsoft.com
• sxt.cdn.skype.com
• download.collaborate.microsoft.com
• incidentgraph.microsoft.com
• admin.recognition.microsoft.com

And many others, all of which look like the sort of legitimate subdomains users (including Microsoft employees), would be inclined to trust if lured to them by a phishing attack.

Why wouldn’t someone trust these? They’re subdomain prefixes of big and important domains such as microsoft.com and skype.com that are under the control of those companies.

Imagine the potential power that grabbing and abusing one of these would give an attacker, particularly ones targeting enterprises.

The researchers offer examples that include persuading a visitor to install a spying extension in their browser, phishing enterprise credentials with a fake login page, or asking visitors to upload sensitive documents to data.teams.microsoft.com with the Teams App. They could even deface a subdomain linked to from a larger domain.

All hypothetical exploits of course, but still an appealing alternative to the other domain ruse of typosquatting domains and hoping nobody notices.