Investigating a report from someone in the office today I found their browser displaying one of those full screen "Your computer has been hacked, call this phone number" pages. Not too surprising: I clicked the exit full screen button. But when I looked at the URL it appeared to be a legit Microsoft host name (and had obviously evaded the browser blacklisting filter). After some digging in the DNS and traceroute to the host I still can't exclude the possibility that an MS service has been compromised. It had a valid cert issued by MS Azure CA.

Question is what should someone do with this information? I'm 99.9% sure if I fill out Microsoft's "report hacking" form nobody will read it. otoh a compromised MS service seems like a thing I should try to report to someone. Perhaps I'm confused somehow about the evidence and it's running on a throwaway VPS with a unicode character in the DNS zone. Doesn't seem so however.

On the theory that the attacker hasn't actually compromised the MS DNS, I suspect that they've figured out a way to get an auto-generated DNS A record that points to an Azure-hosted VM from which they deliver the payload. They're also somehow able to use a cert with CN: *.web.core.windows.net but should that be valid also for foo.z13.web.code.windows.net? Apparently yes. TIL

I did find this site, with a report of a very similar URL: https://urlquery.net/ . When I submitted mine it ran a check, displayed the same malware screen I had seen, but declared the site to be problem free.

For obvious reasons I don't want to post the URL but you can construct it from this hostname: errorzxx9120x6er in this zone: z13.web.core.windows.net

The zones all the way down to z13 seem to be owned by MS, as is the netblock where the server resides.