Microsoft Azure is phishing-friendly

Microsoft Azure is phishing-friendly

Summary: Free hosting, free SSL certificate, free subdomains and free anonymizing proxy make Azure a powerful platform for phishing.


Internet research and intelligence firm Netcraft is reporting that Microsoft Azure is becoming popular as a hosting site for phishing attacks.

Netcraft identified several examples of what they call "the most egregious examples targeting well-known institutions:"

  • (Apple)
  • (PayPal)
  • (American Express)
  • (Visa)
  • (Comcast)
  • (Cielo)

In order to attract web developers, Microsoft has made many powerful facilities free for an evaluation period which is far longer than the lifetime of the average phishing site.

In addition to 30 free days of hosting and a $200 credit on Azure charges, developers can get free subdomains off Microsoft's (a domain unlikely to be blocked); a free SSL certificate, free email addresses and a free anonymizing proxy.

An Apple phishing site on, image courtesy Netcraft Site Report

One particular problem with this arrangement identified by Netcraft is that the free SSL certificates provided by Microsoft do not come with an OCSP responder, and so are irrevocable in many client programs, Mozilla programs in particular.

In all likelihood, phishers aren't using any of the more sophisticated features of Azure, but if they wanted to, they could have access to SQL Server databases, mobile push, media streaming and Hadoop for big data analysis.

Netcraft notes that Microsoft has some weapons that could be used to track down these attackers, particularly the fact that a phone call must be made in the registration process.

Topics: Security, Cloud, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So?

    Azure has compute time limits ... so whatever "hack" is being attempted can be spotted via resources being consumed. Microsoft monitors this, and suspects show up early on their radar. Remember, this is for developers. SO if production like resource consumption is identified, they can shut it down pretty quick.

    "In all likelihood, phishers aren't using any of the more sophisticated features of Azure" ... which means, you don't know for sure, and have no evidence of it occurring ... your speculating ... Also, absent from this is what does Google or Amazon do to prevent this from occurring? Glad to see your focusing on mobile technology and security (in recent years), but just how "hands on" were you in order to reach "expert in technology" status?
  • Phone verification?

    Can you say "burner"?