-
Notifications
You must be signed in to change notification settings - Fork 21.4k
-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aka.ms/MFASetup reads like a phishing attack #31136
Comments
@idontusenumbers Thanks for the comment! We will investigate this issue and get back to you soon. |
@idontusenumbers Aka.ms is an internal Microsoft URL shortening service and not available publicly so there is no way that it can be identified even closely as a phishing attack URL . As per your statement it seems like this is just an assumption on your part but we assure you that the URL is completely safe and it is not at all associated from any phishing activity . Hope this clarifies your doubts. Should you have any further query on this, feel free to tag me or the doc author @eross-msft to your reply and we will be happy to clarify anything as needed. We will close this issue now. Thank you. |
@MohitDhingra-MSFT @eross-msft There is no evidence that suggests that aka.ms is internal or microsoft controlled without significant research. That's like chase bank saying "it's okay to enter your bank account credentials on cha.se because we control it". There's no way for even a tech-savvy user to verify it's a Microsoft domain because it immediately redirects to a different domain so the certificate can't be verified. Users are taught year after year to very specifically flag this sort of domain as a phishing domain and to report it to their IT department. In my (professional) opinion, this is an enormous security mistake and benefits no one. https://microsoft.com/mfasetup would be a 1000x better option. |
Indeed, I thought I was being spearphished very cleverly today, with a very plausible-looking invoice accompanied by an email that invited me to "View your Agreement(s) https://aka.ms/AA1wm3t." Yeah right, like I'm gonna follow a link to some dodgy-looking URL in the Monserrat domain! Thanks for posting the bona-fides here to github, clearly not a phishing attack ;-) |
I agree. Link Shortening services are VERY suspicious. In fact the DoD blocks all of them (except their own HA)...so all aka.ms links just fail for us. This is actually becoming commong for enterprises. The reason is we TRAIN users to look at URLs to be sure they are going where they think they are going. With Link Shorteners you can never be certain...no matter how "official" the link shorteener service is. |
i have a virus redirecting to it https://www.hybrid-analysis.com/sample/d03c96928139226641bbd01466dcca67e004a8cb3913f505d2092bd14890a8be?environmentId=120 |
not all are secure, check this one: schemas.microsoft.com/SMI/2005/WindowsSettings" many of the most active viruses im studying at the moment are all certificate signed, all microsoft whitelisted, all contacting google ad services or legitmiate microsoft / semi-legimtiate pages.... anotjher weird thing i have another virus that uses /embedding followed by number string as a CLI argument and in another of thsoe aka.ms websites in the url their is a urli context asking Embeded?y/N aka |
I'd suggest the Azure devs read https://www.sans.org/security-awareness-training/blog/secure-options-url-shortening. |
But... I don't think it reasonable to expect anyone outside of MS to trust (or even know about) its control of aka.ms. So https://safecomputing.umich.edu/be-aware/phishing-and-suspicious-email/shortened-url-security is I think most relevant here... |
@MohitDhingra-MSFT @eross-msft Can we get a deeper analysis of the use of this shortened URL? From a user's point of view, there's no benefit to the shortened URL and enormous costs: inability to complete task because IT blocks URL shorteners or because it's perceived as a phishing attack and thus intentionally not clicked |
Hmmm... a good next step might be to look at some specific cases in which aka.ms is used, then classify as a use-case or a misuse-case. That's way out of my range of responsibility -- I'm just an end-user. I'll now unsubscribe to this thread.... but as a parting gift I do have a case to offer: an email I received a month ago, with an aka.ms link. A flat-text version is appended. I have suppressed anything that's obviously-unhashed PII, and I'm ok with running the privacy-risk of posting this case to a public-viewable webarea.
Here's the anonymised case. Ignore if you like. I have already frittered away more than enough of my time on this issue! Cheers, -- From: Microsoft (do not reply) maccount@microsoft.com http://compass.microsoft.com/assets/eb/68/WWW.png Your Microsoft billing statement is ready Organization: XXX Domain: YYY.com Your billing statement is ready for review and is attached to this email. We email invoices by default, but you can change how you receive invoices https://portal.office.com/AdminPortal/Home?ref=BillingNotifications if you want. Thank you, The Microsoft Online Services Team Microsoft respects your privacy. Review our online Privacy Statement https://privacy.microsoft.com/en-us/privacystatement . Additional questions? Please visit Customer Support https://businessstore.microsoft.com/en-us/support site. View your Agreement(s) https://aka.ms/AA1wm3t . Microsoft Corporation -- |
Me again, with a second case of aka.ms usage. This case features a friendly target of the aka.ms: the link displays in my (Acrobat Pro DC) PDF viewer as https://aka.ms/Office365Billing. I'd very be surprised if there were a covert channel that allowed this particular aka.ms redirection to be pulling my PII from this particular pdf document, but that'd certainly be a possibility worth exploring if I were a malware designer or on contract as a security analyst! (Case notes: I rendered the PDF attachment of my case #1 to png, then I cut out the displayed PII.) |
Thank you everyone for your insight into the URLs. We appreciate the provided data as it helps shape our decisions going forward. |
#please-close |
5 months later, you're still using this domain to encourage Windows 10 owners to link their phone with their desktop, so that "I never have to email pictures to myself ever again". So those pictures will be routed through a server in Montserrat? Thanks, but I figure I'll just download them via USB instead. |
Is it safe now or what? |
:) |
I agree. |
There is a big security concern: it looks like a phishing URL
This requires every person that ever receives one of these aka.ms links to have received, read, and remembered such a notice. That's a lot to ask. |
I don't think Microsoft needs to send that announcement to everyone. Publishing such notice on their websites will do. |
Would a hacker that broke into the the microsoft docs and re-write them use a domain similar to aka.ms? would the hacker use microsoft.com? |
while I think most of this thread is excessive concern about phishing URLs, as an end-user if you go to the bare-url https://aka.ms , you are now redirected to https://redirectiontool.trafficmanager.net/am/redirection/home?options=host:aka.ms which redirects to a login page for the MS Redirection tool. Though it doesn't show you that anywhere on the screen - sample screen. If an end user was to try to find information about aka.ms - the first thing that comes up in my search results is many instances of people asking if it is OK. I was just updating a web site I have been helping on, and was hoping to find something official from Microsoft explaining what Aka.ms was that I could link to, and I couldn't find a reputable/official looking source to reference. Worst of all, if a unauthorized (non-Microsoft, and non-Microsoft authorized tenant guests) was to fully log into the page - they get this error that would be confusing to most If someone tried to use an undefined, removed, or invalid aka.ms link - like https://aka.ms/DoesntExist, it takes you to Microsoft.com at least, but it should be much clearer that it is owned by Microsoft. I see that https://aka.ms by itself redirecting into your internal redirection tool login page is easy for you all, but it would be confusing to most users. I would love for there to be some way that https://aka.ms had a page with an explanation that this is a Microsoft service, a link to some Microsoft.com/aka-ms-url-shortener or similar page, and an explanation that only Microsoft or authorized contractors can access it to create these links, and most likely a "Login" button in the top right for you all to go to the https://redirectiontool.trafficmanager.net/am/redirection/home?options=host:aka.ms URL. Given those additional steps, a user could
|
I just opened PowerShell and was greeted with "Try the new cross-platform PowerShell https://aka.ms/pscore6". My first thought was... "uh oh, have I been infected?". I visited this URL and then experienced what seemed like several redirects, ultimately dropping me at https://login.microsoftonline.com/oauth2/authorize?---REMOVED_FOR_BREVITY---&redirect_uri=https://redirectiontool.trafficmanager.net---REMOVED_FOR_BREVITY--- Everything about this experience confirmed my belief that this was malware / phishing / bad news. How can anyone actually confirm that aka.ms doesn't have bad properties in its database? This is double-plus-ungood. |
did you possibly visit https://aka.ms and not https://aka.ms/pscore6 ? Currently, if you go to the Root site directly (and not one of it's shortlinks) then it will have you try to sign in to determine if you can access the tool to create the ShortLinks. If you do not have access, it will show you errors similar to my previous message above. https://aka.ms just redirects to https://redirectiontool.trafficmanager.net/am/redirection/home?options=host:aka.ms But then, that page may try to redirect you to a login page But, I agree that this could look confusing to users who didn't know that aka.ms is owned by Microsoft and a Private URL Shortener for their internal use only |
Using a Redirect checker tool - https://www.redirecttracker.com/ - If you are not already used with the Microsoft BusinessStore, then you will get a request to either Login to the business store, or Authorize the Business Store (To read your Email Address/OpenID and Verify your Identity). So there is definitely nothing about the Short Link that is linking to any form of PII - it is linking to a service, that then prompts you to log on because you weren't logged in or hadn't Authorized that app to access your information. By the same sort of redirection, there is a good change this will redirect you to your Company's SharePoint domain (if you have one) even though I don't know your Company Name So, no PII is remotely included in the aka.ms Redirects - they send you to a web service from Microsoft, the Microsoft Service will see if you are already logged in, if needed it may send you to the Microsoft Sign In or Authorize pages, and the Microsoft Sign In may prompt you with a login/authorize page that mentions your company information, because the sign-in page had that information available from previous sessions/cookies/pass-thru from Windows/etc |
It has always been safe |
I got to this site because I was searching to see if AKA.ms was a legit site for a phishing expedition. So it is not just an assumption on the user who first posted this. |
This isn't entirely accurate though, is it? Since it's a redirection service, for it to be 100% safe it would have to vouch for all content it redirects to. Even if only employees can add these redirects, that doesn't mean someone working at MS couldn't do something malicious, or even just by mistake. Or perhaps redirect to a domain that then expires and becomes the property of someone malicious. Wouldn't be the first time this sort of thing has happened. |
It is significantly safer than a random public link shortener, since
Microsoft security will be scanning the destinations, since the employees
will have to be held responsible for the things that they create, and
because it will be easily trackable who created what link with a Microsoft
employees job on the line if they were to make a compromising forward.
…On Sat, Apr 10, 2021, 9:50 AM acicali ***@***.***> wrote:
@kendrikat <https://github.com/kendrikat>
Is it safe now or what?
It has always been safe
This isn't *entirely* accurate though, is it? Since it's a redirection
service, for it to be 100% safe it would have to vouch for all content it
redirects to.
Even if only employees can add these redirects, that doesn't mean someone
working at MS couldn't do something malicious, or even just by mistake. Or
perhaps redirect to a domain that then expires and becomes the property of
someone malicious.
Wouldn't be the first time this sort of thing has happened.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#31136 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA4L7TDJN36ONCJYKZOQNRTTIBJQRANCNFSM4HMTJEHQ>
.
|
The problem is that, as a person who sees and might click on that link, there's no reason to believe it's actually a Microsoft link. No matter how much safety there is on Microsoft's servers and in their internal policies and procedures, I still won't click the link because as far as I know, it's going to a hacker's server. These links are definitively not microsoft links, the are aka.ms links. They are indistinguishable from phishing attacks, full stop. Additionally, Job safety is not a guarantee against unsavory behavior. |
It sounds like your problem is with DNS in general, and you should probably
take that up with IEEE.
Aka.ms is registered by Microsoft and operated by Microsoft. You should
trust links that are to the AKA.ms domain just as you would trust any link
that a Microsoft employee sends you. Period.
A separate issue is whether a person is competent or not to figure out if a
link is actually going to aka.ms, if a link is going to be a URL shortening
service, just a website configured to automatically forward to another
website, or to another place, but that's not a discussion for Microsoft
that's a discussion for security training somewhere else.
…On Sat, Apr 10, 2021, 3:18 PM Charlie Hayes ***@***.***> wrote:
It is significantly safer than a random public link shortener
The problem is that, as a person who sees and might click on that link,
there's no reason to believe it's actually a Microsoft link. No matter how
much safety there is on Microsoft's servers and in their internal policies
and procedures, I still won't click the link because as far as I know, it's
going to a hacker's server. These links are definitively not microsoft
links, the are aka.ms links. They are indistinguishable from phishing
attacks, full stop.
Additionally, Job safety is not a guarantee against unsavory behavior.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#31136 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA4L7TD2TNLKNNGX3GNAOVTTICQAFANCNFSM4HMTJEHQ>
.
|
As a typical user, how would I know that? 99.99% of users won't know how to determine that.
Why? I know microsoft.com takes me to Microsoft website, and I (a technology expert) can use built in browser tools to determine the certificate is good before clicking the link. Assuming aka.ms is wrongly identified to be potentially safe (it should NOT BE!!! It is a cliche example of a phishing attack domain!!!), and do the same with aka.ms, it suspicious redirects happen to what appears to be a phishing attack. I know I can use whois and inspect the certificate before the redirect but that is not something practically any users would be able to do.
100% of security training says DO NOT click links like aka.ms and DO NOT trust senders of such links. Microsoft should know this and not make links like aka.ms. I guarantee Microsoft administers mandatory security training to all of their employees that says DO NOT click links like this. This should have been obvious to all their employees, especially the ones who's career it is to avoid these things. They failed to make this realization so I reported this bug. |
You're just reiterating the same arguments that are still not something
that Microsoft needs to be responsible for. Microsoft does have security
training for things like phishing, but this domain - Azure docs- surely
isn't the place to talk about that. If you want to talk about that go find
the security documentation for phishing and talk about it there.
…On Sat, Apr 10, 2021, 3:43 PM Charlie Hayes ***@***.***> wrote:
by Microsoft and operated by Microsoft.
As a typical user, how would I know that? 99.99% of users won't know how
to determine that.
You should trust links that are to the AKA.ms domain just as you would
trust any link that a Microsoft employee sends you.
Why? I know microsoft.com takes me to Microsoft website, and I (a
technology expert) can use built in browser tools to determine the
certificate is good before clicking the link. Assuming aka.ms is wrongly
identified to be potentially safe (it should NOT BE!!! It is a cliche
example of a phishing attack domain!!!), and do the same with aka.ms, it
suspicious redirects happen to what appears to be a phishing attack. I know
I can use whois and inspect the certificate before the redirect but that is
not something practically any users would be able to do.
but that's not a discussion for Microsoft that's a discussion for security
training somewhere else.
100% of security training says DO NOT click links like aka.ms and DO NOT
trust senders of such links. Microsoft should know this and not make links
like aka.ms. I guarantee Microsoft administers mandatory security
training to all of their employees that says DO NOT click links like this.
This should have been obvious to all their employees, especially the ones
who's career it is to avoid these things. They failed to make this
realization so I reported this bug.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#31136 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA4L7TAZDSF6T7MFWDCWG4DTICS7XANCNFSM4HMTJEHQ>
.
|
Who else but Microsoft is responsible for sending links for microsoft properties? It would behoove them to make sure they do not smell phishy. |
Came here because I was convinced I was getting phished to enable 2FA, spent 15 minutes to figure out the email was legitimate. This is the extend of the confusion largely caused by the shortend url. |
Got an email from a recruiter with aka.ms link. Completely ignored it thinking that's some phishing attempt or weird marketing research. Was bothering me so decided to report this to Microsoft and what do you know, it's just a legit dodge looking url. Since this thread is the first meaningful result from Google (the actual first result is in image), people will be coming here to check. And they will because, as two first comments by idontusenumbers, the domain looks super phishy. Which part of "aka.ms" suggests that it's Microsoft? Definitely not "aka". Maybe with some imagination Doing external communication via |
I just received an email from someone claiming to be with Microsoft’s Software Analysis and Intelligence Research Group asking me to fill out a survey for open source contributors on an |
We understand your concerns and frustrations. As a content organization, we've stepped away from using the aka.ms URLs; however, outside of our organization they are still in use. While we've talked to the product teams about this, they feel they are still of use and continue to use them. Because this thread is about the documentation, I'm going to close it to commenting now. @dknappettmsft please lock this conversation. Thanks! |
The aka.ms domain looks like a phishing attack that every enterprise has trained their employees not to click.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: