An Indian-based security researcher and bug bounty hunter Sahad Nk had recently discovered that the Microsoft accounts could be accessed due to a string of bugs that existed in its subdomains. According to the cybersecurity expert Nk, Microsoft’s subdomain, success.office.com, had not been configured in the right way which let him take it over completely.
Nk used a CNAME record to link one domain to another, to link it to an unconfigured subdomain of his own Azure instance. By doing this, he ended up being in control of the subdomain. Any data that was sent to it could also be intercepted and accessed easily after this. The vulnerability extended to Microsoft Outlook, Microsoft Sway and possibly Microsoft Store too.
Sahad Nk works with the cybersecurity website SafetyDetective. These vulnerabilities were reported by the researcher to Microsoft in June 2018. The issue was subsequently resolved by Microsoft towards the end of November 2018. The security researcher was paid a bounty for finding the bug. This could have been one of the most serious bugs of our times had it been exploited but there has been no news of any such foul play.