Security researchers revealed that more than 600 Microsoft subdomains can be hijacked and abused for phishing. Read on to know more…
Security researchers revealed that more than 600 Microsoft subdomains pose threat to users. A research firm found more than these subdomains could be hijacked and abused for phishing, malware delivery, and scams.
The Security Threat
Researchers revealed that Microsoft’s DNS records for a subdomain point to a domain that no longer exists. In this case, anyone can use this opportunity to creates the non-existent domain and hijack the subdomain with the misconfigured DNS records. Researchers created an automated system and scanned all the subdomains of some important Microsoft domains. The scan results revealed the existence of over 670 subdomains that could be hijacked using the above technique.
An attacker can potentially direct the visitors of the hijacked subdomain to a phishing website. Hijacking Microsoft subdomains would provide attackers the liberty to bypass even the most elite anti-spam and email security tools in the network system. It can be further exploited to acquire authentication credentials or other sensitive information. Attackers can trick users into installing malware, uploading sensitive files, or scam them.
Hijacking Microsoft subdomains would provide attackers the liberty to bypass even the most elite anti-spam. This discovery means attackers could have potentially accessed the subdomains of hundreds of Microsoft services and used them in phishing and malware campaigns. Victims can’t tell whether a subdomain has been compromised. As a result, if they visit a hijacked subdomain and are prompted to enter their credentials or download a malicious file, they’ll likely do it.
To understand how the attack works, researchers have published a blog post describing their findings. The researchers have reported around a dozen of the impacted subdomains to Microsoft. The reported subdomains include mybrowser[.]microsoft[.]com, identityhelp.microsoft[.]com, data.teams.microsoft[.]com, webeditor.visualstudio[.]com, and sxt.cdn.skype[.]com. Microsoft acknowledged that this is a common attack method that involves misleading targets in clicking on a specially crafted malicious link.
Subdomain takeover occurs when a subdomain can be controlled by anyone other than system admins, explain Numan Ozdemir and Ozan Agdepe of security alert service Vullnerability, in a blog post. This can happen due to expired hosting services or DNS misconfigurations, and it can allow an adversary to upload files, create databases, track data traffic, or create a clone of a primary website. If a subdomain seems legitimate, users will likely enter their information.
Earlier, several warnings about the risks posed by subdomain hijacking have been made. Microsoft took steps to address the issue. But, going by the recent findings, there are still hundreds of domains that could be abused. However, to mitigate such threats, researchers suggested exercising caution while working through links or files from untrusted sources and email addresses.