670+ Subdomains of Microsoft are Vulnerable to Takeover (Lead to Account Takeover) | VULLNERABILITY
670+ Subdomains of Microsoft are Vulnerable to Takeover
(Lead to Account Takeover)
Subdomains are prefixes of internet addresses. If we think that our home’s address is an internet
address (URL), then we can call the street as subdomain. Webmasters use subdomains because of some
reasons like security, SEO, API, CDN or categorizing. Subdomains technically work like domains and it
need a secure platform.
If a subdomain is vulnerable to controlling by another persons excluding system authorities, its called as
subdomain takeover. It may happen because of expired hosting services or DNS misconfigurations.
Attacker will has full-privilege on the system after tookover the subdomain. Attacker can upload his own
files, create his own databases, track data traffic and create a clone of main website. So, it is not possible to
detect that the subdomain is hijacked by an attacker and it threaten the security with various attack
scenarios. Our team VULLNERAB1337 beat the records and discovered 670+ subdomains of Microsoft is
vulnerable to takeover. Let us show you how we found them and what can an attacker do by this
How to Discover Subdomain Takeover Vulnerability
We will see some error messages like “Site not found”, “This site doesn’t exist” while reviewing HTTP
responses. And we will see about where is website redirected to, while reviewing DNS records.
An example output for HTTP response of vulnerable subdomain on Github
But in some service providers, we cannot see an HTTP response. So we need to review its DNS records to
understand is it vulnerable or not. For example we cannot see an HTTP response in Microsoft Azure, so we
need to take a look at DNS records.
Example vulnerable subdomain on Azure: azure.takeover.host , let us look at its DNS records.
An example output for DNS records of vulnerable subdomain on Azure
There are 2 points we should care about:
This informations tell us about this subdomain is vulnerable to takeover and it is hosting on
azurewebsites.net. So, attacker can create a source on Microsoft Azure portal and takeover the
There are lots of service providers vulnerable to subdomain takeover attacks, for example Github,
Amazon Web Services, Azure, Pantheon, Shopify, WordPress, Fastly, Heroku, Tumblr etc…
Example Attack Scenarios
We have claimed some of those subdomains to protect from attackers and show you example attack
web.visualstudio.com / webeditor.visualstudio.com
(All of them are reported to Microsoft and fixed.)
What could an attacker do by exploiting this vulnerability?
Attacker could ask visitors for ID cards or their account credentials on identityhelp.microsoft.com
Attacker could force visitors to install an extension or update their browsers and spy them by
embedding a spyware/malware on mybrowser.microsoft.com
Attacker could ask visitors to upload their project files and he can steal their codes on
Attacker could ask team members to upload sensitive and corporational documents on
data.teams.microsoft.com by Teams App
Attacker could ask for money to recharge users Skype account on sxt.cdn.skype.com
Attacker could force visitors to download malware on download.collaborate.microsoft.com
Attacker could manipulate the stats and graphs on incidentgraph.microsoft.com
Attacker could steal administrators passwords on admin.recognition.microsoft.com
Attacker could manipulate API queries or collect sensitive informations about devices on
Attacker could collect informations about developers on dev.social.microsoft.com
Attacker could collect informations about certificates on manage.codesign.microsoft.com
Attacker could publish new security updates and force users to download them on
Our team claimed some of those critical subdomains before attackers and reported them ethically to
Yet another danger about subdomain takeover vulnerabilities. Let us see together how can an attacker
steal your account password and cookies:
However, Microsoft doesn’t reward subdomain takeover vulnerabilities. We have already reported lots
of vulnerable subdomains. We have already reported subdomains in this post but we will not report
other 660+ vulnerable subdomains until Microsoft reward researchers. Also, until Microsoft offer
bounties to researchers for subdomain takeover vulnerabilities, we exactly recommend you to don’t visit
any subdomain of Microsoft because of it is impossible to understand is a subdomain hijacked or not.
How Can An Attacker Exploit This Vulnerability?
Actually, attacker can exploit this vulnerability as “Stored XSS”.
Also attacker can clone the main website’s template and steal users credentials like passwords,
credit card informations or phone numbers etc.
Attacker can bypass CSP, CORS and referrer-check based protections and exploit some
vulnerabilities like XSS, CSRF, Clickjacking and steal users cookies or takeover user accounts.
Attacker can deface the websites which is embedding sources from vulnerable subdomains. Or
Attacker can manipulate the corporational and critical endpoints like payment APIs.
Attacker can force visitors to download malware.
Attacker can hack users devices remotely and spy them if this subdomain is using for autoupdates.
Attacker can make illegal requests by visitors browser.
How We Discovered 670+ Vulnerable Subdomains of Microsoft?
Our automated system scanned all subdomains of some Microsoft domains and found hundreds of
vulnerable subdomains in a short time. You can track your subdomains and get an alert when your
subdomains are vulnerable, by our advanced technology. Visit:
If you are a webmaster, we suggest you to track your subdomains and remove unnecessaried subdomains regularly. Also you should review Microsoft's guide to be aware about phishing attacks. This article written just for educational purpose and show the dangers about a potential subdomain takeover attacks. Subdomains are ethically reported to Microsoft and fixed in a short time. It is not aiming an illegal activity.