The legacy domain for Microsoft Stream was hijacked to show a fake Amazon site promoting a Thailand casino, causing all SharePoint sites with old embedded videos to display it as spam.
Microsoft Stream is an enterprise video streaming service that allows organizations to upload and share videos in Microsoft 365 apps, such as Teams and SharePoint.
Video content hosted on Microsoft Stream was accessed or embedded through a portal at microsoftstream.com.
In September 2020, Microsoft announced they were deprecating the Microsoft Stream classic service and moving it into SharePoint.
Organizations were told to migrate their Microsoft Stream videos to the new platform by April 2024, when the service was retired.
Microsoft Streams classic domain hijacked
Today, the Microsoft Streams classic domain, microsoftstream.com, was hijacked to display a website imitating Amazon that acts as a phishing page for a Thai online casino, as shown below.
Source: Archive.org
It is unclear if the domain was hijacked or DNS modified to show the news site, but WHOIS records show that a change was made to the domain on March 27, 2025.
Domain Name: MICROSOFTSTREAM.COM
Registry Domain ID: 2027086511_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.comlaude.com
Registrar URL: http://www.comlaude.com
Updated Date: 2025-03-27T02:46:29Z
Creation Date: 2016-05-09T22:38:37Z
Registry Expiry Date: 2025-05-09T22:38:37Z
Registrar: Nom-iq Ltd. dba COM LAUDE
Registrar IANA ID: 470
Registrar Abuse Contact Email: abuse@comlaude.com
Registrar Abuse Contact Phone: +442074218250
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Name Server: NS1-04.AZURE-DNS.COM
Name Server: NS2-04.AZURE-DNS.NET
Name Server: NS3-04.AZURE-DNS.ORG
Name Server: NS4-04.AZURE-DNS.INFO
As a result of the hijack, SharePoint servers that still had embedded videos from the classic microsoftstream.com domain, were now seeing this spam page in pages.
« This afternoon, a user reported a suspicious website on our intranet, that is using microsoftstream.com. After some analysis, it turns out the domain is currently redirecting to a sketchy website signed by ‘Ibiza99’, » reported a SharePoint admin on Reddit.
« Here’s an interesting one for you all. I just got a call that our SharePoint site was showing spam instead of embedded videos. Interesting, I thought. I wonder how that could happen, » another Reddit thread explained.
« So I jumped on to see the issue, site is using embedded video from an aspx page on the SharePoint layout. It is definitely showing spam. »
Earlier today, the domain was shut down again, blocking the spam page from appearing in SharePoint.
« We are aware of these reports and have taken appropriate action to further prevent access to impacted domains, » Microsoft told BleepingComputer when asked about the incident.
However, Microsoft did not share further information about how the domain was hijacked.
Thankfully, the threat actors behind this hijack did not attempt to conduct a more harmful campaign, such as distributing malware through fake software updates or other messages that would have been displayed on SharePoint servers.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Plus de détails sur l’article original.