From the Department of Bizarre Anomalies: Microsoft has suppressed an unexplained anomaly on its network that was routing traffic to example.com – a domain reserved for testing purposes – to a manufacturer of electronics cables based in Japan.
Under RFC2606 – an official standard maintained by the Internet Engineering Task Force – example.com is not reachable by any party. Instead it resolves to IP addresses assigned to the Internet Assigned Names Authority. The purpose of the designation is to prevent third parties from being bombarded with traffic when developers, penetration testers, and others need a domain for testing or discussion of technical issues. Instead of naming an Internet-routable domain, they must choose example.com or two others, example.net and example.org.
Misconfig is gone, but is it fixed?
The output of the terminal command cURL shows that devices inside Azure and other Microsoft networks are routing some traffic to a subdomain of sei.co.jp, a domain belonging to Sumitomo Electric. Most of the resulting text is exactly as expected. The exception is JSON-based responses. Here’s the JSON output from Friday:
{"email":"email@example.com","services":[],"protocols":[{"protocol":"imap","hostname":"imapgms.jnet.sei.co.jp","port":993,"encryption":"ssl","username":"email@example.com","validated":false},{"protocol":"smtp","hostname":"smtpgms.jnet.sei.co.jp","port":465,"encryption":"ssl","username":"email@example.com","validated":false}]}
Similarly, adding a new account for test@example.com in Outlook showed results like this:
In both cases, the results showed that Microsoft was routing email traffic to two sei.co.jp subdomains: imapgms.jnet.sei.co.jp and smtpgms.jnet.sei.co.jp. This behavior was the result of Microsoft’s AutoDiscover service.
“I admit I’m no expert on the inner workings of Microsoft, but this appears to be a simple misconfiguration,” said Michael Taggart, a senior cybersecurity researcher at UCLA Health. “The result is that anyone attempting to set up an Outlook account on the example.com domain may accidentally send test credentials to those sei.co.jp subdomains.”
When asked Friday afternoon why Microsoft was doing this, a representative had no answer and asked for more time. As of Monday morning, the improper routing was no longer occurring, but the representative still had no response.
<a href