Time for a confession…

About two years back, I bought a cheap Microsoft Office 365 account. The deal was really attractive almost 90% discount, 5 devices, lifetime access, latest updates and 5 TB OneDrive storage. I know what you might be thinking, this sounds too good to be true. Uday! how can you fall for it? I accept my mistake. Turns out, I am not the only one who fell for the lure as we’ll see (not trying to justify my decision) .

What happened after I bought the account?

Soon after I made the payment, I received an email with the credentials of a brand new Microsoft Office 365 account. The account was not tied to any of my email addresses instead the seller, created the account with new email address tied to a custom domain that they owned.

I logged in to the account to verify if everything was as promised. Surprise, surprise…(well, not really) I found out that the OneDrive storage that I received was just 100 GB instead of the promised 5 TB. I reached out to the given support email address highlighting the issue and asked them for a refund. I know what’s going on in your mind, exepcting refund from a dubious website, what were you thinking, Uday! I agree. Forget the refund, I did not even receive a response from them.

So I changed the password of the account and let it be.

I also knew from a “past experience” that the lifetime access claim is only valid until Microsoft does not find out about this. Once they do find out, they block all accounts associated with the domain name, leaving them effectively useless.

What happened two years after I bought the account?

I almost forgot about this account, until a few days back. I was going through my inbox and found the mail with it’s credentials. I thought let’s login and see whats the status of this account. Obviously, I couldn’t login with those credentials because I had changed the password but I was only able to recall that after two hours of failed efforts to regain access to this account.

Now, you might ask, why I wasn’t able to recover this account even after spending two hours? Good question.

Turns out, the permission to reset password of such accounts lies only with the administrator of the Microsoft 365 tenant and Microsoft doesn’t give out the administrator email ID that easily. So as a user I did not have any recourse other than to really strain my memory and recall the password.

Finally, I logged in to the account with the password that I had set. As soon as I logged on, I received a notification that this account has been blocked and I could not access most of the services associated with it. No surprise there.

Being a curious cat, I searched to see if the domain name associated with the account was available to purchase (maybe I’d get lucky). Much to my surpise, it was available to purchase and that too at normal rate. Interesting! right? I purchased it right away.

What happened after I purchased the domain name?

Two things happened:

• I got the administrator email ID.

• I found out how many people fell for this lure (remember, I mentioned that I wasn’t the only one).

How I got the administrator email ID?

If you have a Microsoft 365 tenant of your own, you can add a custom domain name to it. If that domain name exists within another Microsoft 365 tenant, Microsoft won’t let you add it to your tenant until it is removed from the previous tenant. To help you with that, Microsoft provides the administrator email ID associated with that other tenant. The idea being that you can directly reach out to the other tenant administrator and sort it out without Microsoft’s intervention.

How I found out how many people fell for this lure?

After I bought the domain name, I set a catch-all to catch emails sent to any email address associated with that domain name. Catch-all allows domain name owners to receive emails sent to any email address associated with their domain name, whether they exists or not.

Within a week, the catch-all caught over 12,000 emails. After analysing their header inforamtion, I identified 5,000+ unique email addresses associated with that domain name. This means that potentially 5,000+ people had also fell for this lure.

Just for the sake of curiosity, lets assume that the average price for one such account is Rs. 300. Therefore, by selling it to 5,000 people the seller clocked in Rs. 15,00,000 (USD 17,241 @ Rs. 87/USD) approximately.

How are these sellers able to create such accounts?

Based on what I have observed, the accounts being sold belong to Microsoft 365 tenants of educational institutions. Microsoft offers Microsoft 365 at discounted prices to educational institutions. These plans include most of the features. Somehow these sellers are able to obtain access to these tenants (their motives and methods are out of scope for this post) and use them for their own gains.

Why am I asking you to stay away from these accounts?

• The Microsoft 365 tenant administrator can access all data (email, OneDrive files, etc.) and devices associated with these accounts irrespective of what they mention on their website.

• Another person can take over the Microsoft 365 tenant if it is not secured properly. For example, the administrator email ID I received was assoicated with another custom domain name. I searched for the availability of that domain name. However, this time I lucked out. That domain name was already registred.

  Let’s pause for a moment and think through it. Imagine what could have happened had I been able to register that domain name?

  I probably would have been able to take-over their entier Mircrosoft 365 tenant and everything associated with it, including the user data.

• I was also able to identify services that were signed-up for using these email addresses. This means that using a simple password reset, one could possibly take over those accounts as well. Also, had the administrator allowed users to reset their password, one would have been able to take over these Microsoft accounts as well and access all of their data.

• Access to these accounts can be blocked at any time. This can happen either when Microsoft finds out about the abuse of their services or when the domain is added to another Microsoft 365 tenant. For example, I can still add this domain to my Microsoft 365 tenant by reaching out to Microsoft. However, before releasing the domain from the previous tenant, Microsoft will either make all accounts associated with this domain inoperative or map them to a different domain name within the previous tenant. Note that, the catch-all will still keep catching emails sent to any email address associated with this domain name.

Hopefully, after reading this post you will stay away from cheap Microsoft 365 accounts. If not, well, you have been warned.

Please note: This is not a vulnerability within Microsoft 365 or Office 365. The vulnerability lies in us, the tendency to fall for luring offers.