Journalists of the publication Zdnet interviewed information security specialist Michel Gaschet of NIC.gp. The researcher said that Microsoft has a big problem managing thousands of subdomains, many of which can be hacked and used to attack users, employees of the company itself or to spread spam.
Over the past three years, Gachet regularly reported to Microsoft about subdomains with incorrectly configured DNS records, but the company either ignored these messages or fixed problems for some subdomains (but not for all).
According to a specialist, in 2017, he informed the company about 21 vulnerable to attack subdomains msn.com (1, 2), and in 2019 about 142 more misconfigured subdomains of microsoft.com (1, 2) The researcher shared with reporters a list of 117 problem subdomains of microsoft.com, which he informed Microsoft last year. Unfortunately, the company fixed only some of these problems. The researcher believes that the company secured only 5-10% of these subdomains.
Gachet explained that the company usually responds to the problems of large subdomains, such as cloud.microsoft.com and account.dpedge.microsoft.com, but ignores smaller ones.
The root of the problem is that many Microsoft subdomains have errors in the configuration of DNS records. The most common problem is a forgotten DNS record that indicates something that does not exist or never existed (for example, a typo in the contents of the DNS record). According to Gashet, Detectify blog post from 2014 well covered this problem.
Fortunately, all of these configuration errors previously did not cause Microsoft any problems, although in theory an attacker could capture one of these subdomains and place phishing pages on it to collect credentials from Microsoft employees, business partners of the company, or even end users.
Alas, Gachet recently discovered that at least one criminal group nevertheless noticed a promising problem: advertisements for Indonesian casinos appeared on at least four legitimate Microsoft subdomains, including portal.ds.microsoft.com, perfect10.microsoft.com, ies.global. microsoft.com and blog-ambassadors.microsoft.com.
In his Twitter, the expert suggested that one of the reasons why eliminating such problems is not a priority for Microsoft is that domain capture is not part of the company's official bug bounty program, which means that any reports of this kind do not receive priority, despite the seriousness of the problems.
This kind of stuff, this is what you get by putting subdomain takeover out of scope, and don't fix critical subdomain takeover from good peoples, rarely thanks them and generally not respond to them. Great job @msftsecresponse ?
– Michel Gaschet (@Michel_Gaschet) February 18, 2020
Already after the publication, Microsoft representatives contacted ZDNet and reported that the problem associated with advertising spam was resolved. The company also reminded that users in general should be vigilant when clicking on links and opening unknown files. At the same time, Microsoft representatives did not respond to the questions raised by Gachet, in particular about how dangerous sites are located on subdomains of Microsoft itself.