Security researcher Michel Gaschet said Microsoft has been ignoring his reports that Microsoft subdomains are being hijacked.
Speaking with ZDNet, Gaschet said he reported a total of 142 misconfigured Microsoft.com subdomains last year, as well as a further 21 msn.com subdomains in 2017.
A separate list of 117 Microsoft.com subdomains was also reportedly shared with ZDNet – which were also reported to Microsoft in 2019.
He said that Microsoft largely ignored his reports while silently fixing some of the subdomains.
How it works
Security researcher Szymon Gruszecki explained to Detectify how this hijacking works in 2014.
“Last year [I] performed a scan on [the] top 5,000 domain names from Alexa global rank and discovered 49 subdomains of different domains (that is ~1% of all ones) that point in CNAME records to not registered, forgotten domains or their subdomains,” said Gruszecki.
“So in this case, if you want to own [a] not used subdomain just simply buy an expired domain name and configure its DNS zone.”
He also showed an example where he implemented this with one such domain – racing.msn.com.
“Since the registration of msnbrickyardsweeps.com has expired, he could buy it and suddenly racing.msn.com starts showing his content since racing.msn.com has a CNAME record pointing to msnbrickyardsweeps.com,” explained Detectify.
The exploit allows the new owner to set up emails using the racing.msn.com domain, and they can also receive all emails sent to addresses that use this domain.
The new owner can also set up an SSL certificate on the subdomain – making the website appear more legitimate.
Exploited in the wild
While this practice has been around for years, it is only recently that this exploit has been used against Microsoft in the wild.
Gaschet highlighted on Twitter that an Indonesian Poker website was using this exploit.
This kind of stuff, this is what you get by putting subdomain takeover out of scope, and don’t fix critical subdomain takeover from good peoples, rarely thanks them and generally not respond to them. Great job, @msftsecresponse 👏
— Michel Gaschet (@Michel_Gaschet) February 18, 2020
According to Gaschet, at least three other legitimate Microsoft domains were also found being used to run ads for Indonesian poker casinos.
These casinos seek to boost the “reputation” of their spam by hosting it on a reputable domain, said Gaschet.
Microsoft said the issue regarding these poker websites have been fixed and recommended that users be careful when clicking on links or opening unknown files.
Microsoft’s hijacking problem
This isn’t the first report in recent times that malicious parties have been exploiting unprotected Microsoft subdomains, however.
In November 2019, Microsoft fixed a vulnerability in its login systems which allowed malicious parties to hijack user accounts.
Cybersecurity company CyberArk found that by using one of numerous unregistered Microsoft subdomains, malicious parties could trick users into clicking on their links.
Clicking these links allowed malicious parties to steal one of the user’s account tokens.
These tokens are mostly used to allow users to remain logged into websites and give them access to third-party apps or websites without using their passwords.
“We resolved the issue with the applications mentioned in this report in November and customers remain protected,” said a Microsoft spokesperson.