In a previous post regarding Subdomain takeovers the term was explained, and in a subsequent post there was a demo showing it in action. Although being quite a severe issue and companies being affected, generally these haven’t been a subject on news related sites.


However, recently it was revealed that Security Researchers at CyberArk found Microsoft had experienced the issue which affected their Teams product, of which Microsoft responsibly disclosed on March 23rd.


CyberArk first discovered that there was a token “authtoken” which allows the creation of an additional token “skypetoken” to access the victim’s data. You may wonder how would it would be possible to get hold of this token?

The Security Researchers at CyberArk  discovered two subdomains which could be overtaken. With this knowledge and due to the way the authentication works when accessing image resources, the “authtoken” could be leaked by sending the victim (or multiple victims within a group) an image, and this image would be loaded from the overtaken subdomains.


In parallel, the “authtoken” would be sent along with the “skypetoken” back to the attacker. Then the attacker would be able to access the victim’s data.


Microsoft patched this vulnerability in an update release on April 20th and removed the affected DNS records. However, as video conferencing has increased due to the Covid 19 pandemic, and a large portion of workers having to work from home, there has been a considerable increase in attacks that take advantage of the new landscape.


Reference: here

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
iasme consortium
iasme consortium
cyber essentials
cyber essentials plus
iot security assured
ukas iso 9001ukas iso 27001
Back to top
Get in touch