undefined | Better HN

0 pointsbonton892y ago0 comments

Lets not forget all the typosquatting looking domains Microsoft uses. It almost seems like they bought them up to protect users, forgot why they did that and said "hey we have all these domains, lets use those?"

0 comments

__float2y ago

Do you have any examples? I'm largely out of the Microsoft ecosystem these days, aside from the occasional Xbox usage.

bombcar2y ago

Office.com redirects you to login.microsoftonline.com which isn't horribly bad, but is starting to get there. Now you have microsoft365.com and friends, too.

At least when things were login.microsoft.com you could apply the "last part is definitive" now that heuristic is pretty useless. And if you watch the actual DNS requests during a login, whew.

CDNs make it even worse, here's a few VALID requests from my DNS cache:

store-images.s-microsoft.com-c.edgekey.net

www.msftconnecttest.com

123499-ipv4v6.farm.dprodmgd103.aa-rt.sharepoint.com

download.windowsupdate.com.edgesuite.net

At least some end in apparently legitimate domains, but sheesh, that last one looks like something straight out of 2000s era scams.

WorldMaker2y ago

Also Azure AD and Entra ID and other parts of Microsoft 365 all use onmicrosoft.com, too. A fun bonus to that particular domain is the random meaningless to people GUID-derived tenant IDs in the second level. Knowing what is legitimate, and what is tied so a specific corporate tenant, seems impossible. Certainly helps Microsoft themselves avoid XSS problems, I'm sure, but greatly adds to the confusion of what is a legitimate M365 URL.

Corrado2y ago

Yea, it's really fun to log into some some Microsoft site and get redirected 10 times. The domains it goes through are staggering, some of them don't even look like MS names at all. More than once I've been convinced that there is something fishy going on. Only to realize that, nope, that's the way MS wanted it.

j / k navigate · click thread line to collapse