Skip to content

Microsoft Office Sub-domain Takeover Vulnerability Affecting 400 Million Users

Security Researcher Sahad Nk recently discovered a string of webapp vulnerabilities in Microsoft (Office & Live Login System), that could allow an attacker to easily gain access to organizations emails and data on Office. Though individually the vulnerabilities were not severe, but when connected together could lead to critical data loss. Here’s brief overview of how it was made possible:

Vulnerability 1 : Sub-domain takeover of success.office.com

The CNAME record for Sub-domain success.office.com was pointed to successcenter-prod.azurewebsites.net. During a host check, it was realized that the application was no longer up and the researcher was able to take over the sub-domain by registering an Azure web app with the name successcenter-msprod. After taking over the sub-domain, this opened a lot of avenues for him to explore and attack the application, which would not have been possible otherwise.

Vulnerability 2: Improper OAuth Checks

He also found that Microsoft Office, Outlook, Store, and Sway apps can be tricked into sending authenticated login tokens to the success.office.com sub-domain. When a Microsoft user logs in to Microsoft Live (login.live.com) the login token would be leaked to the server controlled by Sahad.

Attack Execution:

For attack execution, he would just have to send an email to trick the user to click a link, which would provide him with a valid session token — a way to log in to the user’s account without even needing their username or password. As he had taken over a legitimate Microsoft owned sub-domain, that link would come in the form of a login.live.com URL, which could easily bypass phishing detection used in email security, web security or antivirus solutions.

What Can Organizations Do About It?

Misconfigured Sub-domains, can be considered as part of Shadow IT, which is a big problem impacting a large number of organizations. Organizations should first get a complete understanding of their Digital Attack Surface: Most organizations do not have a complete view of their digital attack surface. Common gaps include a lack of monitoring of domains, sub-domains, Server / IPs, IoT, 3rd Party Services etc. A single misconfigured sub-domain (like in Microsoft’s case) can lead to a catastrophic breach.

Organizations should continuously monitor their Digital Assets : In the era of DevOps, digital assets go online and offline on a continuous basis, and need to be continuously monitored to minimize the window of exposure.

According to SafetyDetective, the issues were reported to Microsoft in June and were fixed in November.

Reference: https://www.safetydetective.com/blog/microsoft-outlook/

About FireCompass:

FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming  and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.

Feel free to get in touch with us to get a better view of your attack surface.

Important Resources: