In February, Mike O’Connor expressed interest in selling the “corp.com” domain with hopes that Microsoft would buy it. In early versions of Windows that supported Active Directory, the default or example domain was “corp.” This domain would be particularly dangerous if a threat actor were to control it, due to the fact that many corporate domains used this default suggestion instead of a domain name owned by the company. When endpoints try to access an Active Directory-mapped device like a network share, DNS settings may allow that endpoint to communicate online first, initiating a connection to the third-party corp.com domain instead. Research showed that even recently, hundreds of thousands of computers around the world attempt to send sensitive information to the corp.com domain. Earlier this week, O’Connor wrote to Brian Krebs to say that Microsoft had bought the domain from him for an undisclosed amount. Microsoft has since said that it bought the domain to protect its customers.
Although Microsoft now has ownership of the domain, the best way to protect devices is to configure Active Directory with a company-owned domain. Using Endpoint Detection and Response (EDR) tools to find attacker behavior is an important defense when attackers use stolen credentials to access corporate computers. Additionally, reducing the number of domain administrators, and ensuring that not all accounts have administrator access is an effective way of securing Active Directory.