My Weirdest Bug Bounty — Getting PII from O365.
TLDR; My boss quit. I registered a domain and found the weirdest vulnerability in my entire career.
My boss quit.
I looked at his account on Microsoft Teams and noticed something odd..his email was set to unknown@af4716f4–406e-409b-acc1-b8bf9efe83fa.com.
Before he quit, it was john@[company].com
I recognized af4716f4–406e-409b-acc1-b8bf9efe83fa as a sort of ResourceID or TenantID in Azure.
For some reason, when Azure AD Accounts are deactivated, O365 doesn’t set the email to null, but to ‘unknown@af4716f4–406e-409b-acc1-b8bf9efe83fa.com’…O365’s version of null?
The problem.
After looking up ‘af4716f4–406e-409b-acc1-b8bf9efe83fa.com’ I found it wasn’t a registered domain!
I registered the domain, set up a server, forwarded all emails to my personal email and forgot about it.
Things got interesting on Monday
My inbox was flooded with meeting invitations and email chains from Azure customers, including Microsoft themselves.
I assume the process went something like this:
Bob leaves company/gets fired
Bobs email is set to unknown@af4716f4–406e-409b-acc1-b8bf9efe83fa.com
People CC Bob on email out of habit or he’s still in an email list
This confirmed there wasn’t a misconfiguration or glitch on our Azure Cloud, it was pervasive and every Azure customer was vulnerable to it. Because I was invited to these meetings, I could actually also JOIN these video meetings too(though I didn’t).
Running Responder on a VPS I spun up, I was also able to get NTLM hashes. Although they were now useless because the accounts are inactive.
For my trouble, Microsoft’s Bug Bounty gave me $1,000. Not bad for 10 minutes of work.
This is definitely the weirdest vulnerability I’ve found in my entire career. To this day I’m still not 100% sure how it works, only theories.
