1

Facebook alerted me that some SSL certificates have been issued that potentially phish one of our domains:

enter image description here

The detailed view for one of these entries is as follows:

enter image description here

When I access one of these domains, it forwards to our actual domain.

There are plenty of resources online about the risks that are involved if this is, indeed, the beginnings of a phishing attack. However, we're a low-reward target, so it's unlikely that someone is attempting to perform a phishing attack.

We don't use Microsoft's cloud, and I'm not very familiar with it. Is there a simple, innocuous explanation for the possible purpose of these domains and associated certificates? We provide a SaaS product and do work with partners to fulfill certain parts of our system. Perhaps one of our partners uses Microsoft cloud and their system caused these domains and certificates to be generated?

I'd ask Microsoft, but since we're not a customer of theirs, they won't help us... ‍♂️

rinogo
  • 329
  • 4
  • 13
  • To reiterate, I realize there's not enough information available to determine exactly what's going on. My hope is that someone with experience with Microsoft/Azure will recognize these symptoms and point us in what could be the right direction. – rinogo Apr 30 '20 at 17:35
  • 1
    cas.ms is a domain owned by Microsoft themselves. They are legitimated to issue certs for this domain and any subdomains. It's not clear what's exactly your problem. The domains also resolve to Microsoft infrastructure. – Pedro Perez May 16 '20 at 22:58
  • @PedroPerez The problem is that we don't do business with Microsoft. Heck, I couldn't even verify that these certs were owned by Microsoft and not by someone posing to be them. In this world of phishing scams, I think this is a legitimate concern. I still don't have any idea why MS is issuing certs and doing redirects for our domain... – rinogo May 17 '20 at 02:34
  • The certs belong to Microsoft, the domains belong to Microsoft and the sites you hit when you hit those domains belong to Microsoft. You keep talking about "our domain", but it is not clear what domain do you think is yours here. "cas.ms" is owned by Microsoft. – Pedro Perez May 17 '20 at 12:53
  • @PedroPerez As mentioned in the question, "When I access one of these domains, it forwards to our actual domain." – rinogo May 17 '20 at 16:34

1 Answers1

2

The "cas.ms" domain is used by Microsoft's Cloud App Security tool, in particular around the application conditional access control. Is it possible that someone has look to enable this service? This is not Azure specific, it can be used as part of Office 365 or standalone.

The solution works by adding a proxy in front of your applications, hence why it would be pointing to your URLs.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
  • We're not using Office 365 at an organization level, but I suppose there's a chance it's being used by an individual within our organization. Thanks for pointing us this direction, Sam! – rinogo May 01 '20 at 15:06