That bounty is an order of magnitude smaller than it should've been. It's an account takeover defect that most anyone could fall for because of the structure of the payload URL.
And it’s shocking they’re able to add a DNS zone for a domain they don’t own. That alone is a massive issue for the email phishing potential. The combination is stunning.
From: bob@project-cascade.visualstudio.com
SPF: pass
DKIM: pass
DMARC: none
“Hi it’s Bob from Project Cascade. We’re giving away Azure credits to anyone who used our trial in 2019 or earlier. Visit project-cascade.visualstudio.com/credits to check if you’re eligible.”
In all the cloud provider DNS services I've used you can add a zone for anything with no verification of ownership. The root cause flaw is the domain owner allowing their registrar data to go stale and let NS point at a shared service where they did not own/host the records.
Probably makes a lot of less than ethical security researchers wonder if maybe they should do something else with the knowledge of the vulnerability next time
From: bob@project-cascade.visualstudio.com
SPF: pass
DKIM: pass
DMARC: none
“Hi it’s Bob from Project Cascade. We’re giving away Azure credits to anyone who used our trial in 2019 or earlier. Visit project-cascade.visualstudio.com/credits to check if you’re eligible.”
Click.
“Sorry, you’re not eligible.”
I’d fall for that :-(