A Bug Left Your Microsoft Account Wide Open to Complete Takeover
(Dec 11, 2018)
Sahad Nk, a bug bounty hunter, found several Microsoft vulnerabilities that left users' accounts vulnerable to unauthorised actors accessing Microsoft users' accounts. Nk noticed that "http://success.office[.]com" was not configured properly, thus allowing him to take control over the subdomain and subsequently any information that was sent to it. This subdomain also received authenticated login tokens for Microsoft Office, Outlook, Store, and Sway. This meant that NK could obtain the login token and then use that token to access an account without needing a username or password.
Recommendation: This vulnerability was fixed by Microsoft in November 2018, but had been a problem since June 2018. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Ensure that your organisation is using good basic cyber security habits. It is important that organisations and their employees use strong passwords that are not easily-guessable and do not use the default administrative passwords provided because of their typically-weak security. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and teach them how to detect malicious emails. It is also recommended to encrypt any sensitive data at rest and in transit to mitigate damage of potential breaches.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.