We all know when granting permission to an account, this account will receive an invitation email that link to the Microsoft Invitation page. Today when doing some stuffs of authorization, I realized that Microsoft would make something *perhaps not correct* to make people feel scary.
Look at the bottom would you be surprised because the email was sent from Microsoft email@example.com and the URL is https://invitations.microsoft.com/redeem/?tenant=<ID>?. Click Learn more, I’m going to be scary to see that Microsoft claims this kind of website is not under Microsoft’s control.
The first thing flashed in my mind is not that a Microsoft’s vendor managing something called “Invitation system“. We all know Microsoft is working with many vendors doing web administration. The first thing is that my browser looks compromised because I read this article a couple of days ago. In this article the security research found that the browser could not detect a new phishing attack using a technique called Phishing with Unicode domain.
My upcoming book will cover more security stuffs and defense in depth strategy as well as step-by-step guidance on how to set things up. Go purchase it from here with only exclusive price at $9.99 before the release date on 15 June 2017
Open certificate I would be more feeling relief. From the information, the certificate is issued by internal CA system which is trusted. Well I kind of believe so.
The impact would be if you grant permission to people in your customer who need to go to your Azure subscription to evaluate something, they would be surprised then ask you if their browsers are hijacked. Business users may not know but IT guys with security awareness may ask for this stuff. In the event of investigation, perhaps nobody actually comes to conclusion whether they are hijacked or Microsoft is making a mistake which brings a scare to the customer. Who know if there would be an investigation to be conducted along with wasting money & effort after realizing that this stuff is a Microsoft’s fault.
Microsoft needs to clarify or at least makes the message more clear so there is no wasting effort for a deep investigation.
Btw I’ve sent a message to Microsoft and will update if there is a response.