Microsoft Office Account Hijacking Bug

A bug was recently discovered that allowed a researcher to hijack a Microsoft subdomain. The researcher was able to control the domain "success.office.com" including any data that was processed. He was also able to "trick" Microsoft Office into sending authenticated login tokens through "success.office.com" after a user entered and submitted their credentials. With this bug, a successful phishing attack would have provided a hacker with full access to the Office account. The bug was fixed, but it is still advised that organizations mitigate risk by pushing the importance of recognizing a phishing scam.

Relevant URL(s): https://techcrunch.com/2018/12/11/microsoft-login-bug-hijack-office-accounts/