Microsoft Network Anomaly Redirects Traffic Intended for Testing Domain
In an unusual incident reported by Microsoft, an unexplained network anomaly inadvertently redirected traffic meant for the testing domain example.com to a Japanese electronics cable manufacturer, Sumitomo Electric. The example.com domain, outlined under RFC2606, is designated solely for illustrative and testing purposes, preventing actual service use to mitigate misuse and unsolicited traffic.
As defined by the Internet Engineering Task Force, example.com is not available for actual use and is reserved for situations where developers, testers, and technical discussions require a non-routable domain. Consequently, the assignment of this domain is to ensure that various stakeholders are not overwhelmed with unnecessary traffic.
Recent investigations, particularly using the cURL command, revealed that devices within Microsoft’s Azure network were incorrectly routing some email traffic to subdomains of sei.co.jp. The output, primarily as expected, showed significant anomalies, particularly in the JSON-based responses generated during attempted connections. For example, actions involving the addition of a test email account in Outlook led to interactions with the imapgms.jnet.sei.co.jp and smtpgms.jnet.sei.co.jp subdomains.
The routing error stemmed from Microsoft’s autodiscover service, a feature designed to streamline account setup procedures in Outlook. According to cybersecurity expert Michael Taggart at UCLA Health, this incident appears to result from a basic misconfiguration within Microsoft’s network setup. He pointed out the potential ramifications, indicating that users setting up an account on example.com might inadvertently disclose test credentials to those misrouted domains, posing a potential security threat.
In response to inquiries regarding the cause of the anomaly, Microsoft representatives initially requested more time to investigate. By Monday morning, the inappropriate routing had ceased; however, clarity on the underlying issues remained absent.
This incident sheds light on the importance of maintaining robust configuration processes within IT networks. While this particular event may not indicate malicious intent, it underscores the potential for serious security vulnerabilities stemming from misconfigurations that could be exploited by adversaries. Ensuring adherence to best practices in network management can mitigate risks associated with misrouted traffic.
From a cybersecurity perspective, pertinent tactics identified within the MITRE ATT&CK framework related to this incident might include initial access through misconfigured services, which could facilitate unauthorized traffic redirection. It serves as a reminder for business owners to remain vigilant and proactive in addressing configuration vulnerabilities to safeguard their operations against potential exploits.
