All Articles

Claiming a microsoft shorturl for an easy phish

tl;dr; Microsoft has an internal use shorturl service at go.microsoft.com that can be enumerated for hijackable links. It might be useful for you as a red teamer if you want to phish windows users.

I reported this issue to Microsoft a week ago. They closed it as out-of-scope for their Bug Bounty program (which I don’t disagree with) so I think it’s probably fine if I share it here.

Details

go.microsoft.com uses a shorturl service which supports url like the following link, which you may have been redirected to this page from.

https://go.microsoft.com/fwlink/p/?LinkId=187566

The LinkId parameter of the URL is fairly easy to enumerate. I used the following simple python script to do so, just to find which LinkIds lead to what URLs.

import requests
import sys
import json
import random

targetname = sys.argv[1]
target = sys.argv[2]
failurl = sys.argv[3]

try:
    with open(f"{targetname}.json") as fp:
        print("found previous state")
        state = json.load(fp)
except:
    state = {
        "million": [i for i in range(100000, 1000000)],
        "found": []
    }
    random.shuffle(state["million"])

def resolve(linkid):
    resp = requests.get(f"{target}{linkid}", allow_redirects=False)
    # print(resp.headers["Location"])
    hit = f"{failurl}{linkid}" != resp.headers["Location"]
    return hit, resp.headers["Location"]

try:
    while state["million"]:
        linkid = state["million"].pop()
        print(linkid)
        hit, location = resolve(linkid)
        if hit:
            print("HIT", linkid, location)
            state["found"].append([linkid, location])
except KeyboardInterrupt:
    print("Saving checked targets")

with open(f"{targetname}.json", "w") as fp:
    json.dump(state, fp)

After running this overnight (I didn’t attempt to make it efficient). I found a ton of working LinkIds. This is not a problem in itself, since most of the redirect locations of these are still valid.

Where it get’s a bit more interesting is by looking at the URLs that have expired, e.g. due to it being an expired domain name or a cloud service.

I spent ~20€ to get myself http://blog.identityjunkie.com which https://go.microsoft.com/fwlink/p/?LinkId=187566 points to.

I also found the following expired domains that may still be available:

  • dfnextgenmdm.com https://go.microsoft.com/fwlink/p/?LinkId=397563 -> https://portal.manage.DFNextGenMDM.com/EnrollmentRedirect.aspx
  • sposites.com https://go.microsoft.com/fwlink/p/?LinkId=512531 -> https://portal.sposites.com/sites/ITOE/ST/RaaS/blog/Lists/Posts/Post.aspx?ID=464
  • emachines.se https://go.microsoft.com/fwlink/p/?LinkId=190225 -> https://www.emachines.se

There were also some cloudapp.net domains, which belongs to the deprecated “Cloud Service” offering by Azure. I tried claiming one, but getting a Cloud Service to work on a modern system was way too much work.

Impact

As an attacker, you could abuse this to create links that seem trustworthy. Similar to Open Redirect vulnerabilities. If you were e.g. trying to seem like an authentic microsoft employee over the phone. Having a short url like this is probably a bit easier to get victims to enter, and given that the domain ends with microsoft.com, easier to gain trust with.

Further research

Besides looking for hijackable links, it could also be interesting to look for secrets or other internal sensitive links that could reveal information that should not be visible to the public.

Another interesting target might be to look at the other Microsoft link shortener aka.ms that uses short phrases instead of numeric ids. Or GitHub’s gh.io which looks like it uses the same software (I enumerated gh.io a bit, but did not find anything).

Published Mar 9, 2023

    Security Engineer with a dash of software. Originally from Stockholm, now in Berlin. I like to hack things.