Forum Discussion
General Question: Microsoft 365 admin console tab label
- Admin.microsoft.com uses resources hosted on res.cdn.office.net for those tab titles. In this case, that request looks like this:
GET https://res.cdn.office.net/admincenter/admin-pkg/2024.3.28.1/en/jsc/reactadminbootstrap.js HTTP/1.1
Host: res.cdn.office.net
Connection: keep-alive
sec-ch-ua: "Microsoft Edge";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0
sec-ch-ua-platform: "Windows"
Accept: */*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: script
Referer: https://admin.microsoft.com/
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Although the path contains "en" as the lang code, the strings are (as everyone noted) in Croatian. All the other locales I tested (it, de, etc.) don't appear to have the same bug. Just "en." Also, res.cdn.office.net uses Akamai as a content delivery network, and this .js file is cached with Cache-Control max-age=630720000 (20 years?). So even if it was fixed on the origin servers, the Akamai cache would have to be purged, or they would have to use a new file path, and that appears to be their approach (this one has the release date /2024.3.28.1/ in the path).
This has already been confirmed to be a bug that Microsoft is working on by other members, I just wanted to provide some additional details based on what I see.
RS_Admin This is a huge problem. It looks strange enough to be a sign that a sloppy developer or hacker changed the language on us. I started a support ticket that went a little like this:
Me: Either Microsoft screwed something up or we are on the leading edge of a solarwinds size attack. MS needs to say something about which it is immediately.
Microsoft: Have you tried inprivate browsing?
Me: This is being reported on hundreds of tenants across the US and world. This isn't a (mycompany) screwed up error or an individual machine error:
Microsoft: We need to collect super detailed logs from your machine and then you need to email them
Me: If your legal department confirms you are A. Not a 3rd party contractor, B. Located in the USA and C. Covered by the Microsoft BAA, then we can do that. Or you could check your own tenant.
Microsoft: Uhhh what, we will delete your data when we are done. It is very safe.
Me: I need to escalate, this is way above your pay grade
Microsoft: So you refuse to give us the logs
Me: So you refuse to escalate this case, yes or no
Circles and circles. We are having a meeting in a few hours to discuss the risk/cost of shutting down all systems and wait for MS to say something vs the risk of losing protected data if this is a real incident. No other indicators of compromise, no unexpected activity on firewalls etc. Waiting for my lawyers to weigh in as well. Can we actually sue them if we lose a bunch of money over this?
Microsoft support is beyond useless at this point. They have home user level support for E5 licenses. Why can't I just pay $20k per incident like the old days with premier cases? I would do that in a heartbeat and move on.