A bug in Microsoft’s login system made it easy to hijack anyone’s Office account

A string of bugs when chained together created the perfect attack to gain access to someone’s Microsoft account — simply by tricking a user into clicking a link.

Sahad Nk, an India-based bug hunter, discovered that a Microsoft subdomain, “success.office.com,” had not been properly configured, allowing him to take it over. He used a CNAME record, a canonical record used to link one domain to another, to point the unconfigured subdomain to his own Azure instance. In doing so, he controlled the subdomain — and any data sent to it, he said in a write-up shared with TechCrunch prior to publication.

That wouldn’t be much of a problem on its own, but Nk also found that Microsoft Office, Store and Sway apps could be tricked into sending their authenticated login tokens to his newly controlled domain after a user logs in through Microsoft’s Live login system.

That’s because the vulnerable apps use a wildcard regex, allowing all office.com — including his newly controlled subdomain — to be trusted.

Once the victim clicks on a specially crafted link sent in an email, for example, the user will log in through Microsoft’s login system using their username and password — and two-factor code, if set up — which creates an account access token to keep the user logged in without having to enter their password again and again. Obtaining an account access token is the equivalent of having someone’s credentials — and allows an attacker to break into that user’s account seamlessly, often without raising any alarms or triggering any warnings. (They’re the same kind of account tokens that put more than 30 million Facebook accounts at risk earlier this year.)

But the malicious URL is crafted in a way that instructs Microsoft’s login system to pass the account token to Nk’s controlled subdomain — which, if it were controlled by a malicious attacker, could have put countless accounts at risk. Worst of all, the malicious URL looks legitimate — because the user still logs in through Microsoft’s systems, and the “wreply” parameter in the URL also doesn’t look suspect because it’s an Office subdomain.

In other words: Anyone’s Office account — even enterprise and corporate accounts, including their email, documents and other files, could have been easily accessed by a malicious attacker — and it would have been near-impossible to discern from a legitimate user.

Nk, with the help of Paulos Yibelo, reported the bug to Microsoft, which fixed the vulnerability.

“The Microsoft Security Response Center mitigated the case in November 2018,” a Microsoft spokesperson confirmed in an email to TechCrunch. The bug was remediated by removing the CNAME record pointing to Nk’s Azure instance, he explained.

Microsoft paid out a bug bounty for Nk’s efforts.