«Office 365 login» With those words, many people start their workday to authenticate to Microsoft’s web tools, with which their companies are integrated. This Google search usually yields the link to the Office portal as the first result.
Today (at the time of this writing it’s October 3), when performing this Google search, a glitch in the famous search engine caused the targeted link to end up on the GoDaddy login page. This could have allowed many users to get confused and trust this web portal with the credentials to access the Microsoft 365 suite.
In the image below, it shows how Google displays as the main «Sign In – Outlook» link the URL that ends up redirecting to GoDaddy:
This link (https://outlook.office.com/owa/?realm=masterworksdesign.com), which is initially unrelated to GoDaddy, ends up redirecting to its web portal.
There is no confirmation, but this redirection could be due to Microsoft’s integration with this domain provider to allow its users to customize the domains of their e-mail addresses, as shown in the following link:
However, it should be noted that sometimes this type of error is carried out by malicious actors, indexing in Google as the first result of a fake webmail/VPN portal of a company. This leads to phishing attacks.
Returning to the case at hand, we must point out that one aspect that aggravates the situation is the integration that GoDaddy has made with Microsoft in its login panel. The Microsoft 365 logo is displayed above the user and password fields, making it easier not to look at the less striking GoDaddy logo or the URL of the page being visited.
The consequences of the GoDaddy-Microsoft 365 mix-up
The direct consequences of this situation, in case some users are not aware of the problem caused by Google, would trigger multiple login failures in the GoDaddy panel, sending to this website the Office 365 authentication data. This could have a big impact given that these credentials are usually the same ones that would be used to authenticate either with personal accounts or internal services of the companies they work for, such as VPN or other corporate applications.
Upon completion of the authentication form, the user’s credentials are sent to GoDaddy’s Single Sign-On platform. This situation can be confirmed by the following HTTPS traffic capture:
From what we have been able to analyze, this is not the first time this situation has happened. This same behavior occurred on August 19, 2021.
While this situation is not due to any malicious action, indeed, those who have performed the authentication have unintentionally shared their personal or corporate credentials with GoDaddy.
Currently, we can only wait for Google to resolve this situation to prevent other users from being affected in the future. As a record of this incident, we include the link to today’s Google search, which contains the aforementioned redirect:
The URL to which the «Sign In – Outlook» entry points: https://outlook.office.com/owa/?realm=masterworksdesign.com
As evidence of this situation, which we hope will be resolved in a short period, we show the link to the indexing of this situation in the Web Archive platform:
Recommendations to keep in mind
- Always access Office 365 services through the desktop applications or official URLs, preferably making use of web bookmarks or shortcuts.
- Educate users to identify this type of situations by paying attention to the URL being visited, as well as changes to the authentication interface. While this is not a malicious campaign, in this case, it is recommended as part of the corporate security strategy to conduct regular awareness exercises for employees. These social engineering attack vectors account for a large percentage of intrusions into organizations, resulting in ransomware or other malware infections.
- Notify the users of the organizations of this specific situation to avoid credential exposures, as well as request changes in the passwords of those who have been affected by this incident.
Edit (12:00, 05/10/2022): Right now, Google stopped showing the “Sign in – Outlook” link, so this problem is currently solved.