A massive bug in a Microsoft subdomain could have left your Microsoft account — from your Office documents to your Outlook emails — susceptible to hacking. An India-based security researcher and bug hunter, Sahad Nk, recently uncovered the vulnerabilities. It was a series of bugs which when chained together could allow access to someone’s Microsoft account.


A Microsoft bug could have exposed 400 million accounts

While working as a security researcher, Nk discovered that the Microsoft subdomain, success.office.com, wasn’t properly configured. He was, in fact, able to completely take over the subdomain. He used a CNAME record, a canonical record used to link one domain to another, to point the unconfigured subdomain to his own Azure instance. By doing this, Nk could control the subdomain, and any data sent to it.



That wouldn’t have been much of a problem on its own if there wasn’t this second major vulnerability.

Microsoft Office, Outlook, Store, and Sway apps send authenticated login tokens to the success.office.com subdomain. But Nk also found that these apps use a wildcard regex, allowing all office.com — including his newly controlled subdomain — to be trusted. This way, he could gain access to any Microsoft account simply by making the user click on a specially crafted link sent in an email. And because Nk has access on Microsoft’s side, that link would come in the form of a login.live.com URL. Not even the savviest of internet users and phishing detectors could suspect the URL.

If it were controlled by a malicious attacker, as many 400 million Office 365 users could have been exposed. Thankfully, Nk quickly reported the bug to Microsoft, which then fixed it.

Reportedly, the issues were previously discovered in June itself. They were eventually fixed in November before being remediated by Sahad Nk. He was able to do so by removing the CNAME record, a Microsoft spokesperson told to TechCrunch.

Microsoft paid out a bug bounty for Nk’s efforts.