Did you suddenly see spam for a Thai casino in your SharePoint environment? The culprit was a hijacked Microsoft domain.
Through various Reddit threads for IT and security specialists, reports of spam in SharePoint came in. Some business users saw spam for Thai casinos in their Microsoft environment, in the form of a very well-replicated Amazon page. The spam turned out to be originating from a hijacked Microsoft domain for Streams.
Microsoft Streams is a video streaming service that allows you to embed videos in Teams, SharePoint, and other Office applications. In 2024, the service was moved from a separate domain and integrated into SharePoint. However, the classic domain microsoftstream.com remained active since then.
Thai casino
The culprit, known only by his alias Ibiza99, took over the Microsoft domain on March 27 and replaced the content with a spam page for a Thai casino. How exactly this happened is unclear. Consequently, SharePoint servers with Streams content embedded via the legacy domain displayed the spam page. Microsoft had urged companies last year to switch to the new, integrated platform.
Microsoft has since taken the Streams domain offline, causing the spam page to disappear. It’s unclear how many companies saw the spam in their SharePoint environment. “We are aware of these reports and have taken appropriate measures to further prevent access to the affected domains,” Microsoft confirms to Bleeping Computer without further explanation.
The intention behind the campaign remains a matter of speculation, but fortunately, the perpetrators did not misuse the Microsoft Stream service to take over SharePoint environments. Microsoft has learned a valuable IT lesson: if you’re no longer using a domain, take it offline.