Microsoft Stream Domain Hijacked, Redirects to Fake Amazon Site Promoting Thai Casino

Microsoft Stream’s old domain was hijacked and redirected to a fake Amazon website promoting an online casino in Thailand. This unexpected domain takeover led to SharePoint sites embedding outdated Microsoft Stream videos displaying the fraudulent site instead, creating a widespread issue for organizations still relying on legacy video links.

Microsoft Stream’s Classic Domain Turns Into a Phishing Trap

Microsoft Stream, an enterprise video hosting platform, was deeply integrated into Microsoft 365 applications, including Teams and SharePoint. It allowed organizations to upload and share videos through a dedicated portal at microsoftstream.com.

In 2020, Microsoft announced that the service would be deprecated, urging organizations to migrate their video content to SharePoint by April 2024. This deadline marked the official retirement of Microsoft Stream’s classic service. However, the domain remained active—until it wasn’t.

On March 27, 2025, WHOIS records indicated a sudden change in the domain’s registration. Instead of pointing to Microsoft’s services, the domain began redirecting visitors to a fake Amazon site linked to a Thai online casino. The site functioned as a phishing trap, attempting to lure unsuspecting users into engaging with fraudulent promotions.

SharePoint Sites Displaying Spam Instead of Videos

The impact was felt immediately. SharePoint sites that had embedded Microsoft Stream videos from the classic domain suddenly found their pages displaying an unexpected and unwelcome surprise.

• Users reported seeing a suspicious website within their organization’s intranet.
• Reddit discussions emerged, with IT admins scrambling to understand why SharePoint pages were serving spam instead of legitimate video content.
• One administrator noted that their SharePoint layout used embedded videos from an old aspx page, which was now showing the hijacked website.

“This afternoon, a user reported a suspicious website on our intranet using microsoftstream.com. Turns out, the domain is currently redirecting to a sketchy website signed by ‘Ibiza99,’” one SharePoint admin wrote.

Another IT professional shared a similar experience: “I just got a call that our SharePoint site was showing spam instead of embedded videos. Interesting, I thought. I wonder how that could happen.”

Microsoft Responds, but Details Remain Scarce

Following the reports, Microsoft moved quickly to block the hijacked domain, preventing further exposure. By the evening, the redirect was no longer active, stopping the fake Amazon site from appearing in SharePoint pages.

A Microsoft spokesperson acknowledged the issue, stating, “We are aware of these reports and have taken appropriate action to further prevent access to impacted domains.” However, the company did not elaborate on how the domain was compromised in the first place.

How Did the Domain Get Hijacked?

While Microsoft has not confirmed the exact cause of the hijack, the timeline suggests a few possible scenarios:

Given that the domain was initially hosted on Microsoft’s Azure DNS servers, the breach raises concerns about the security of corporate domains after deprecation.

A Wake-Up Call for IT Admins

This incident highlights a critical issue: the risks of leaving old embedded links and domains unmonitored. Organizations that did not fully transition their Microsoft Stream videos to SharePoint faced unintended consequences when the domain fell into the wrong hands.

For IT administrators, this serves as a reminder:

• Always update embedded video links when a platform transitions to a new service.
• Regularly audit legacy integrations to ensure they remain secure and functional.
• Monitor domain records to spot unauthorized changes that could indicate a hijack attempt.

While this hijack didn’t lead to malware distribution or more severe phishing attacks, it exposed a major vulnerability that could have had worse consequences. For Microsoft, the event underscores the importance of securing retired domains long after they have been decommissioned.