I’m tempted to say “The internet, how does it work?” but the truth is I wouldn’t have a clue, either. Seems like using a regex match against domain name is a Bad Idea, though.
And how did this bug get delivered? Emphasis on speed of delivery and human testing through the UI. “Looks good, ship it.” Which… is how all bugs get delivered, right? Less-careful developer + “hurry up and ship it”.
«Sahad Nk, an India-based bug hunter, discovered that a Microsoft subdomain, “success.office.com,” had not been properly configured, allowing him to take it over. He used a CNAME record, a canonical record used to link one domain to another, to point the unconfigured subdomain to his own Azure instance. In doing so, he controlled the subdomain — and any data sent to it, he said in a write-up, shared with TechCrunch prior to publication.
That wouldn’t be much of a problem on its own, but Nk also found that Microsoft Office, Store and Sway apps could be tricked into sending their authenticated login tokens to his newly controlled domain after a user logs in through Microsoft’s Live login system.
That’s because the vulnerable apps use a wildcard regex, allowing all office.com — including his newly controlled subdomain — to be trusted.»