Full Report
The legacy domain for Microsoft Stream was hijacked to show a fake Amazon site promoting a Thailand casino, causing all SharePoint sites with old embedded videos to display it as spam. [...]
Analysis Summary
# Incident Report: Hijacked Microsoft Stream Classic Domain Spamming SharePoint
## Executive Summary
The domain `microsoftstream.com`, associated with the retired Microsoft Stream Classic service, was hijacked, resulting in embedded videos on SharePoint sites redirecting users to a spam page hosted by an attacker identified as 'Ibiza99'. The immediate impact was localized to users viewing intranet content, but the incident highlights a critical risk in relying on long-lived, unmonitored third-party domains. Microsoft acknowledged the issue and took action to shut down the domain again, mitigating further exposure.
## Incident Details
- **Discovery Date:** Sometime before the Reddit reports mentioning the incident occurring "this afternoon" (relative to the article publication).
- **Incident Date:** Occurred when propagation from the domain hijack was observed on SharePoint sites.
- **Affected Organization:** Microsoft (specifically, users accessing SharePoint sites embedding content previously hosted on Stream Classic).
- **Sector:** Technology/Cloud Services.
- **Geography:** Not explicitly stated, but impacts global Microsoft 365 users utilizing SharePoint.
## Timeline of Events
### Initial Access
- **Date/Time:** Not explicitly stated, but occurred prior to user reports.
- **Vector:** Domain Hijacking of `microsoftstream.com`.
- **Details:** Attackers gained unauthorized control over the DNS registry for the domain previously used by Microsoft Stream Classic.
### Lateral Movement
- Not applicable in the traditional sense, as the attack leveraged existing trust and embedding mechanisms within SharePoint pages that referenced the compromised domain.
### Data Exfiltration/Impact
- **Impact:** SharePoint sites displaying embedded videos were showing a spam page instead of the intended video content. The page was signed by 'Ibiza99'.
- **Data Theft:** No evidence of malware distribution or large-scale data exfiltration was reported in this specific incident.
### Detection & Response
- **Detection:** Reported by users via social media platforms (Reddit) asking for help regarding suspicious websites appearing on their intranet SharePoint sites.
- **Response Actions:** Microsoft acknowledged the reports and took "appropriate action to further prevent access to impacted domains," effectively shutting down the compromised domain again.
## Attack Methodology
- **Initial Access:** Domain Hijacking (unspecified method used against the registrar).
- **Persistence:** The persistence mechanism was the continued DNS resolution of the compromised `microsoftstream.com` to the attacker-controlled destination.
- **Privilege Escalation:** Not applicable; the action was focused on external domain resolution control.
- **Defense Evasion:** The attack leveraged implicit trust in the `microsoftstream.com` domain previously established by Microsoft integration within SharePoint.
- **Credential Access:** Not reported or indicated.
- **Discovery:** Not explicitly mentioned, but the attackers utilized existing, active embed code on SharePoint sites pointing to the hijacked domain.
- **Lateral Movement:** Not applicable.
- **Collection:** Not applicable.
- **Exfiltration:** Not applicable.
- **Impact:** Display of unsolicited spam content (web page redirection).
## Impact Assessment
- **Financial:** Not quantified, but associated incident response costs and potential remediation for affected customers are implied.
- **Data Breach:** No specific data breach reported; impact was limited to content display/redirection.
- **Operational:** Minor operational disruption due to user confusion and the appearance of inappropriate content on official intranet sites.
- **Reputational:** Negative impact on trust regarding domain management for retired Microsoft services.
## Indicators of Compromise
- **Network indicators (Defanged):**
- Redirects originating from lookups resolving to the current IP controlled by the attacker for traffic meant for `microsoftstream.com`.
- **File indicators:** None specified as the attack was primarily a DNS/web redirection event.
- **Behavioral indicators:**
- SharePoint users encountering spam pages when an embedded video from the legacy Microsoft Stream Classic system should have loaded.
- Page signed by 'Ibiza99'.
## Response Actions
- **Containment Measures:** Microsoft shut down the domain again ("taken appropriate action to further prevent access to impacted domains").
- **Eradication Steps:** Removal of the malicious DNS entries/resolution path by Microsoft.
- **Recovery Actions:** Restoration of legitimate functionality (presumably removing the embedding or updating the source if the domain could not be immediately secured/reclaimed safely).
## Lessons Learned
- **Key Takeaways:** Domain name life cycle management, especially for services being retired (like Stream Classic), is critical. Domains must be properly decommissioned, or the DNS records strictly controlled, to prevent hijacking.
- **What could have been done better:** Swift identification and secure reclamation of the domain post-service retirement would have prevented the initial hijack.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. Implement rigorous, continuous monitoring on public-facing assets, especially DNS entries linked to critical services, even after the service is deprecated.
2. For retired services, proactively update all dependent systems (like SharePoint embeds) to point to a new, active service or remove links entirely before letting the public domain lapse or transferring control.
3. Ensure domain registrars have appropriate controls (like DNSSEC and aggressive domain lock mechanisms) applied to high-value or legacy domains.
4. Implement technical controls within rendering environments (like SharePoint) to limit the impact of external content redirection (e.g., stricter Content Security Policies for embedded resources).