A security researcher has reported that Microsoft has an issue in managing its thousands of subdomains, many of which can be hijacked and used to attacks users, its employees, or for showing spammy content.
The problem was found by Michel Gaschet, a security researcher and a developer for NIC.gp.
He said that during the past three years, he was reporting subdomains with misconfigured DNS records to Microsoft, to which the tech giant has either been ignoring reports or silently securing some subdomains, but not all.
According to Gaschet, he reported 21 msn.com subdomains that were vulnerable to hijacks to Microsoft in 2017, and then another 142 misconfigured microsoft.com subdomains in 2019. Another list of 117 microsoft.com subdomains were also reported to Microsoft last year.
Of all the reported misconfigured subdomains, Microsoft only addressed a few, perhaps somewhere between 5% and 10% of all the subdomains reported.
Microsoft usually fixes big subdomains, like cloud.microsoft.com and account.dpedge.microsoft.com, but other subdomains are exposed to hijacks.
Most of the Microsoft subdomains are vulnerable to basic misconfigurations in their respective DNS entries. The root cause is a forgotten DNS entry pointing to something that doesn’t exist anymore, or never existed.
These misconfigurations however did not cause any problems despite being an attractive attack surface. It is possible for an attacker to hijack one of these subdomains and host phishing pages to harvest login credentials for Microsoft employees, business partners or even its end-users.
On Twitter, Gaschet pointed out that at least one spam group has figured out they could hijack Microsoft’s subdomains and boost their spammy content by hosting it on a reputable domain.
He found ads for Indonesian poker casinos on at least four legitimate Microsoft subdomains which includes portal.ds.microsoft.com, perfect10.microsoft.com, ies.global.microsoft.com, and blog-ambassadors.microsoft.com.
The researcher believes that one of the reasons why Microsoft is not interested to fix these issues is that “subdomain takeovers” are not part of the company’s bug bounty program. So, any reports made are not getting prioritized in spite of the severity of the issues being reported.