[donmcronald]

And it’s shocking they’re able to add a DNS zone for a domain they don’t own. That alone is a massive issue for the email phishing potential. The combination is stunning.

From: bob@project-cascade.visualstudio.com

SPF: pass

DKIM: pass

DMARC: none

“Hi it’s Bob from Project Cascade. We’re giving away Azure credits to anyone who used our trial in 2019 or earlier. Visit project-cascade.visualstudio.com/credits to check if you’re eligible.”

Click.

“Sorry, you’re not eligible.”

I’d fall for that :-(

[gravitas]

In all the cloud provider DNS services I've used you can add a zone for anything with no verification of ownership. The root cause flaw is the domain owner allowing their registrar data to go stale and let NS point at a shared service where they did not own/host the records.