@idontusenumbers Thanks for the comment! We will investigate this issue and get back to you soon.

@idontusenumbers Aka.ms is an internal Microsoft URL shortening service and not available publicly so there is no way that it can be identified even closely as a phishing attack URL . As per your statement it seems like this is just an assumption on your part but we assure you that the URL is completely safe and it is not at all associated from any phishing activity .

Hope this clarifies your doubts. Should you have any further query on this, feel free to tag me or the doc author @eross-msft to your reply and we will be happy to clarify anything as needed. We will close this issue now.

Thank you.

@MohitDhingra-MSFT @eross-msft There is no evidence that suggests that aka.ms is internal or microsoft controlled without significant research. That's like chase bank saying "it's okay to enter your bank account credentials on cha.se because we control it". There's no way for even a tech-savvy user to verify it's a Microsoft domain because it immediately redirects to a different domain so the certificate can't be verified. Users are taught year after year to very specifically flag this sort of domain as a phishing domain and to report it to their IT department. In my (professional) opinion, this is an enormous security mistake and benefits no one. https://microsoft.com/mfasetup would be a 1000x better option.

Indeed, I thought I was being spearphished very cleverly today, with a very plausible-looking invoice accompanied by an email that invited me to "View your Agreement(s) https://aka.ms/AA1wm3t." Yeah right, like I'm gonna follow a link to some dodgy-looking URL in the Monserrat domain! Thanks for posting the bona-fides here to github, clearly not a phishing attack ;-)

I agree. Link Shortening services are VERY suspicious. In fact the DoD blocks all of them (except their own HA)...so all aka.ms links just fail for us. This is actually becoming commong for enterprises. The reason is we TRAIN users to look at URLs to be sure they are going where they think they are going. With Link Shorteners you can never be certain...no matter how "official" the link shorteener service is.

i have a virus redirecting to it https://www.hybrid-analysis.com/sample/d03c96928139226641bbd01466dcca67e004a8cb3913f505d2092bd14890a8be?environmentId=120

not all are secure, check this one: schemas.microsoft.com/SMI/2005/WindowsSettings"
im seeing lots of CDN akmai servers using legitimate content as logic bomb functionality in very advanced viruses, using time out keys that a virus author can control to stop campaigns by pulling them.. another weird feautre is viruses spying on microsoft users by activating familly control, and using microsoft accounts to see what their victims are looking at by getting reports... im seriously not even starting to trust microsoft because many of these viruses are generatign such heavy traffic, and google and microsoft are all getting interesting metadata from it..

many of the most active viruses im studying at the moment are all certificate signed, all microsoft whitelisted, all contacting google ad services or legitmiate microsoft / semi-legimtiate pages.... anotjher weird thing i have another virus that uses /embedding followed by number string as a CLI argument and in another of thsoe aka.ms websites in the url their is a urli context asking Embeded?y/N aka

https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=45a330b1-b1ec-4cc1-9161-9f03992aa49f&scope=openid&msafed=0&nonce=a5dfc125-1fd6-407b-9202-0a5d19c20fe7&response_mode=form_post&redirect_uri=https://businessstore.microsoft.com/auth/&state=%7B%22encodedRedirectUri%22:%22L21hbmFnZS9vcmdhbml6YXRpb24vYWdyZWVtZW50cw==%22,%22isEmbedded%22:false%7D

I'd suggest the Azure devs read https://www.sans.org/security-awareness-training/blog/secure-options-url-shortening.

But... I don't think it reasonable to expect anyone outside of MS to trust (or even know about) its control of aka.ms. So https://safecomputing.umich.edu/be-aware/phishing-and-suspicious-email/shortened-url-security is I think most relevant here...

@MohitDhingra-MSFT @eross-msft Can we get a deeper analysis of the use of this shortened URL? From a user's point of view, there's no benefit to the shortened URL and enormous costs: inability to complete task because IT blocks URL shorteners or because it's perceived as a phishing attack and thus intentionally not clicked

Hmmm... a good next step might be to look at some specific cases in which aka.ms is used, then classify as a use-case or a misuse-case. That's way out of my range of responsibility -- I'm just an end-user.

I'll now unsubscribe to this thread.... but as a parting gift I do have a case to offer: an email I received a month ago, with an aka.ms link. A flat-text version is appended. I have suppressed anything that's obviously-unhashed PII, and I'm ok with running the privacy-risk of posting this case to a public-viewable webarea.

1. I can't be bothered to figure out how the aka.ms redirection pulls up my PII, but when I (finally!) dared to visit it a few minutes ago, my (Chrome) browser was redirected to https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=AAAA&scope=openid&msafed=0&nonce=BBBB&response_mode=form_post&redirect_uri=https://businessstore.microsoft.com/auth/&state=%7B%22encodedRedirectUri%22:%22CCCC==%22,%22isEmbedded%22:false%7D&sso_reload=true. So: aka.ms redirection is apparently far more powerful than a tinyurl redirection. However: I think it unlikely that the target "AA1wm3t" of this aka.ms contains a hashed version of my PII because its only 8 chars long, and because the popup "Pick an account" window on this microsoftoneline.com visit isn't helping me navigate the portion of my personal-identity-hell that is directly administered by MS (i.e. I see four explicit options on the "Pick an account" list, plus the option to "Use another account".

2. I suspect the png link is a tracker with a hashed reference to my account number, so I have anonymised it. It's an 115x27 png which would have displayed an MS graphic in my Outlook client, if I had ever allowed it to present this email to me in html. (BTW I run my Outlook in plaintext-only mode, as one of my lines of defense against email-nasties.)

Here's the anonymised case. Ignore if you like. I have already frittered away more than enough of my time on this issue!

Cheers,
Clark

--

From: Microsoft (do not reply) maccount@microsoft.com
Sent: Tuesday, 3 December 2019 6:12 PM
To: Undisclosed recipients:
Subject: Your Microsoft billing statement

http://compass.microsoft.com/assets/eb/68/WWW.png

Your Microsoft billing statement is ready

Organization: XXX

Domain: YYY.com

Your billing statement is ready for review and is attached to this email.

We email invoices by default, but you can change how you receive invoices https://portal.office.com/AdminPortal/Home?ref=BillingNotifications if you want.

Thank you,

The Microsoft Online Services Team

Microsoft respects your privacy. Review our online Privacy Statement https://privacy.microsoft.com/en-us/privacystatement .

Additional questions?

Please visit Customer Support https://businessstore.microsoft.com/en-us/support site.

View your Agreement(s) https://aka.ms/AA1wm3t .

Microsoft Corporation
One Microsoft Way
Redmond, WA 98052 USA
https://mucp.api.account.microsoft.com/m/v2/v?d=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

--

Me again, with a second case of aka.ms usage.

This case features a friendly target of the aka.ms: the link displays in my (Acrobat Pro DC) PDF viewer as https://aka.ms/Office365Billing.

I'd very be surprised if there were a covert channel that allowed this particular aka.ms redirection to be pulling my PII from this particular pdf document, but that'd certainly be a possibility worth exploring if I were a malware designer or on contract as a security analyst!

(Case notes: I rendered the PDF attachment of my case #1 to png, then I cut out the displayed PII.)

Thank you everyone for your insight into the URLs. We appreciate the provided data as it helps shape our decisions going forward.
We, as the content team, are actually moving away from using the aka.ms short URLs and instead using the full site URLs. With that being said, the product groups and other teams aren't necessarily changing their styles to reflect this update. Additionally, we don't have the bandwidth to go back and update all aka.ms links and can only update the links we see in articles that are being updated or in new articles.
For the purposes of the MFA article being referenced, I can go in and update this link to a full URL. But as you find additional links, you can go ahead and update them yourselves through GitHub and a GitHub account. We do go through and read/accept pull requests from both internal and external customers. If you need instructions about how to do this, you can find them here: https://docs.microsoft.com/en-us/contribute/.

please-close

5 months later, you're still using this domain to encourage Windows 10 owners to link their phone with their desktop, so that "I never have to email pictures to myself ever again". So those pictures will be routed through a server in Montserrat? Thanks, but I figure I'll just download them via USB instead.

Is it safe now or what?

:)

I agree.
For consumers, individual customers, aka.ms is good because it's easy to remember and there are no big security concerns.
For business customers, some of them even use an Internet firewall in allow-list mode, you really need to give them a good reason to accept this domain.
I think Microsoft should at least officially make an announcement, declaring something such as
"aka.ms is Microsoft-owned domain.",
"This domain is used by Microsoft in order to ..... and IT admins can safely put it into your company's firewall allow-list...",
"You may trust Microsoft URL beginning with aka.ms",
something like that.

I agree.
For consumers, individual customers, aka.ms is good because it's easy to remember and there are no big security concerns.

There is a big security concern: it looks like a phishing URL

I think Microsoft should at least officially make an announcement, declaring something such as
"aka.ms is Microsoft-owned domain.",

This requires every person that ever receives one of these aka.ms links to have received, read, and remembered such a notice. That's a lot to ask.

This requires every person that ever receives one of these aka.ms links to have received, read, and remembered such a notice. That's a lot to ask.

I don't think Microsoft needs to send that announcement to everyone. Publishing such notice on their websites will do.

would mircosoft include this domain on their docs if it wasn't official?

would mircosoft include this domain on their docs if it wasn't official?

Would a hacker that broke into the the microsoft docs and re-write them use a domain similar to aka.ms? would the hacker use microsoft.com?

while I think most of this thread is excessive concern about phishing URLs, as an end-user if you go to the bare-url https://aka.ms , you are now redirected to https://redirectiontool.trafficmanager.net/am/redirection/home?options=host:aka.ms which redirects to a login page for the MS Redirection tool. Though it doesn't show you that anywhere on the screen - sample screen.

If an end user was to try to find information about aka.ms - the first thing that comes up in my search results is many instances of people asking if it is OK.

I was just updating a web site I have been helping on, and was hoping to find something official from Microsoft explaining what Aka.ms was that I could link to, and I couldn't find a reputable/official looking source to reference.

Worst of all, if a unauthorized (non-Microsoft, and non-Microsoft authorized tenant guests) was to fully log into the page - they get this error that would be confusing to most

If someone tried to use an undefined, removed, or invalid aka.ms link - like https://aka.ms/DoesntExist, it takes you to Microsoft.com at least, but it should be much clearer that it is owned by Microsoft.

I see that https://aka.ms by itself redirecting into your internal redirection tool login page is easy for you all, but it would be confusing to most users.

I would love for there to be some way that https://aka.ms had a page with an explanation that this is a Microsoft service, a link to some Microsoft.com/aka-ms-url-shortener or similar page, and an explanation that only Microsoft or authorized contractors can access it to create these links, and most likely a "Login" button in the top right for you all to go to the https://redirectiontool.trafficmanager.net/am/redirection/home?options=host:aka.ms URL.

Given those additional steps, a user could

• understandably be suspicious of the aka.ms links (as URL Shorteners could certainly be used maliciously to hide a malicious URL), but could learn that aka.ms is a trustworthy URL shortener because they
• have some confirmation from Microsoft side of things that aka.ms is an official Microsoft domain,
• anyone who came onto https://aka.ms by accident wouldn't directly be presented with a login page (which is certainly a security red flag), but an explanation it is an internal Microsoft URL Shortener