Yes, It easy for anyone to Hack Microsoft Office account, there is an bug Microsoft’s login system when an string of bugs chained together it created the perfect attack and it makes simple to gain access to anyone’s Microsoft account, it is simply by tricking a user into a link clicking.
An India-based bug discoverer Sahad Nk found an unpreper configuration of Microsoft subdomain, “success.office.com,” which allowing him to take an hijack. He linked one domain with another, using a CNAME record and an canonical record to point the unconfigured subdomain to his own Azure instance. By doing this, he got accesses control the subdomain and any data sent to it, he said in a write-up, shared with HiiTech and TechCrunch.
He also found that Microsoft’s Store, Office and Sway apps also can be cracked by sending their authenticated login tokens to his newly controlled domain after a user logs in through Microsoft’s Live login system.
Due to this the unsafe apps use a wildcard regex, accessing all office.com to be shown trusted and safe also his new accessible subdomain.
If the victim clicks on a specially designed link sent in an email,
for example, In this if the user will log in through Microsoft’s signin system using its username and password and two-factor code to keep the user logged in without entering their password again and again, it set up which creates an account access token. Obtaining an access token of Ian account is the clearly having someone’s credentials and allows an attacker to break into that user’s account logically, happening without buzzing of warning or any alarm. A year ago they where more than 30 million Facebook accounts at risk the same tipe-of account tokens this year this is likely recapping that.
The Subdomain is designed in a way that instructs to logging in Microsoft’s account to pass the account token to the subdomain which is under Nk’s controlled. if it were in controlled an malicious attackers, they have bought countless accounts at risk. Badly of all, malicious URL’s looks official happenes the user still logs in through Microsoft’s systems, and the Covering parameter in the URL also doesn’t look weared cause it is an Microsoft’s Office subdomain.
Anyone’s files, documents and email, could have been easily accessed by a malicious attacker and hackers by getting into there Microsoft account even in any Corporate or enterprise account and it colud near-impossible to recognize from a authorise user.
Nk, have reported the bug to Microsoft, which remidated the issue. Microsoft paid out and rewarded him for his efforts in finding the bug bounty.
An Microsoft spokesperson confirmed in an email to our sisters publication TechCrunch.