This is not Microsoft content ...
Maik Morgenstern
Cybersecurity Leader and Advisor | Former CTO @ AV-TEST | Reverse Engineer
Update 13th January 2021: Microsoft has now fixed the DNS entry.
So whats up?
Microsoft created the subdomain covid19testing.microsoft.com, probably to deliver information around Covid19 testing, and pointed it to a Azure instance at wherecanigettestedforcovid19.azurewebsites.net.
For some reason they stopped that project, deleted the Azure instance but didn't clean up the DNS CNAME entry that still maps covid19testing.microsoft.com to wherecanigettestedforcovid19.azurewebsites.net.
Why is this a problem?
This creates a problem: Anybody can now claim the Azure instance and host whatever content they want, as I am doing right now. This could be abused by attackers to run phishing and scamming attacks. I can act in the name of Microsoft, by abusing their domain and claiming this website has content created by Microsoft, e.g. asking Microsoft users to login to my website and phish their usernames and passwords.
Unfortunately this happens quite often, at the moment of writing this, around a dozen Microsoft subdomains can be abused by claiming Azure endpoints that Microsoft abandoned and where they didn't clean up the DNS CNAME entries.
Microsoft isn't the only company with this problem, but one of the few top Fortune 500 company where this happens all the time, see this Sophos blog for example.
Why is Microsoft not addressing this?
So why does it happen so often for Microsoft, but not for other big companies? Simple, many of those other companies run bug bounty programs where they encourage researchers to report such vulnerabilities and pay a bug bounty. Microsoft also runs such a program but explicitly defines "Sub-Domain Takeovers" as OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES. Researchers don't bother to report vulnerabilities, that are eligible for rewards, so nobody is reporting this to Microsoft and Microsoft obviously has problems to keep track of the Azure endpoints and the DNS entries they create ...
I usually don't bother to complain about this policy, after all it is their right to decide which reports they want to handle. However, with Covid19 being such an important topic it is absolutely irresponsible to act like this and forget about this Azure instance and the DNS entry.
Microsoft, please be careful and keep track of the Azure endpoints and DNS entries you are creating and don't make the life of attackers that easy!
Maik Morgenstern
Marketing Leader, SaaS & Cyber Security | Product Marketing | Go-To-Market Strategy | Messaging | Competitive Positioning | Campaign & Content Strategy | Enablement | Analyst Relations
4 年Thanks for a fascinating read Maik - not a problem I knew existed.
Very good point Maik