Researchers found about 700 problematic Microsoft subdomains

700 problematic Microsoft subdomains

Vullnerability researchers found about 700 problematic Microsoft subdomains and captured one of them for demonstration.

Michel Gaschet, an information security specialist, reported about the problem back in February, and has been informing Microsoft of its many vulnerable subdomains for many years.

“The company has thousands of subdomains at its disposal, many of which can be hacked and used to attack users, employees of the company itself, as well as to distribute spam, malware, phishing attacks and other types of fraud”, – wrote Michel Gaschet.

Most often, in such cases the talk is about subdomains with incorrectly configured DNS records. Therefore, DNS records for a subdomain may point to a domain that no longer exists. As a result, anyone who uses this non-existent domain will be able to take control of the subdomain.

Thus, an attacker can redirect visitors from the captured subdomain to a phishing site, steal their credentials and other confidential information, trick them into installing malware, and so on.

For example, the subdomain points to although this server instance has been closed long time ago. Exactly in such cases, attackers can take advantage of the subdomains They set up an Azure account and request the hostname webserver9000 or As a result, when people go to, they are redirected to the criminals-owned, where victims can be offered, for example, downloading malware under the guise of a browser update.

“Most often, the company either ignores these messages, or responds to problems of large subdomains, such as and, but ignores smaller ones”, – reported Michel Gaschet.

Now, Vullnerability company specialists have spoken about the same problem from their position. They created an automated system that scans all subdomains for a number of important Microsoft domains. This scan revealed more than 670 subdomains that can be captured according to the described above scheme.

It is not yet known whether hackers are investigating Microsoft subdomains for this vulnerability, but there is definitely evidence that attackers scan network for vulnerable Microsoft Exchange servers.

The experts attached a video to their report demonstrating how the attack works.

Researchers notified Microsoft about a dozen of vulnerable subdomains, and the company took measures to prevent their capture. Among them were:,,, and

However, the researchers said they did not intend to disclose the full list, which includes another 660+ problem subdomains, until the company included these types of vulnerabilities in its bug bounty program.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *