All Articles

Claiming a microsoft shorturl for an easy phish

tl;dr; Microsoft has an internal use shorturl service at that can be enumerated for hijackable links. It might be useful for you as a red teamer if you want to phish windows users.

I reported this issue to Microsoft a week ago. They closed it as out-of-scope for their Bug Bounty program (which I don’t disagree with) so I think it’s probably fine if I share it here.

Details uses a shorturl service which supports url like the following link, which you may have been redirected to this page from.

The LinkId parameter of the URL is fairly easy to enumerate. I used the following simple python script to do so, just to find which LinkIds lead to what URLs.

import requests
import sys
import json
import random

targetname = sys.argv[1]
target = sys.argv[2]
failurl = sys.argv[3]

    with open(f"{targetname}.json") as fp:
        print("found previous state")
        state = json.load(fp)
    state = {
        "million": [i for i in range(100000, 1000000)],
        "found": []

def resolve(linkid):
    resp = requests.get(f"{target}{linkid}", allow_redirects=False)
    # print(resp.headers["Location"])
    hit = f"{failurl}{linkid}" != resp.headers["Location"]
    return hit, resp.headers["Location"]

    while state["million"]:
        linkid = state["million"].pop()
        hit, location = resolve(linkid)
        if hit:
            print("HIT", linkid, location)
            state["found"].append([linkid, location])
except KeyboardInterrupt:
    print("Saving checked targets")

with open(f"{targetname}.json", "w") as fp:
    json.dump(state, fp)

After running this overnight (I didn’t attempt to make it efficient). I found a ton of working LinkIds. This is not a problem in itself, since most of the redirect locations of these are still valid.

Where it get’s a bit more interesting is by looking at the URLs that have expired, e.g. due to it being an expired domain name or a cloud service.

I spent ~20€ to get myself which points to.

I also found the following expired domains that may still be available:

  • ->
  • ->
  • ->

There were also some domains, which belongs to the deprecated “Cloud Service” offering by Azure. I tried claiming one, but getting a Cloud Service to work on a modern system was way too much work.


As an attacker, you could abuse this to create links that seem trustworthy. Similar to Open Redirect vulnerabilities. If you were e.g. trying to seem like an authentic microsoft employee over the phone. Having a short url like this is probably a bit easier to get victims to enter, and given that the domain ends with, easier to gain trust with.

Further research

Besides looking for hijackable links, it could also be interesting to look for secrets or other internal sensitive links that could reveal information that should not be visible to the public.

Another interesting target might be to look at the other Microsoft link shortener that uses short phrases instead of numeric ids. Or GitHub’s which looks like it uses the same software (I enumerated a bit, but did not find anything).