Warning: Legacy Microsoft Stream Domain Now Spreads Malicious Ads

The legacy domain of Microsoft Stream has been compromised and is now displaying a counterfeit Amazon webpage promoting malicious Thai online. As a result, all SharePoint sites with embedded videos from the outdated platform began exhibiting spam content.

Microsoft Stream is a corporate video service that enables organizations to upload and share video content across Microsoft 365 applications, including Teams and SharePoint.

Previously, all video content was hosted on the portal microsoftstream.com and embedded into corporate sites via this domain.

In September 2020, Microsoft announced the deprecation of the classic Microsoft Stream and began migrating its functionality to SharePoint.

The company advised organizations to move their video libraries to the new platform by April 2024, at which point the legacy service was scheduled for full decommissioning.

However, on March 27, 2025, the microsoftstream.com domain fell into unauthorized hands. A fraudulent website posing as Amazon appeared, redirecting users to an online portal based in Thailand.

It remains unclear whether the domain was directly compromised or if attackers simply altered the DNS records. According to WHOIS data, the last modification to the domain occurred precisely on March 27, 2025:

Domain Name: MICROSOFTSTREAM.COM  
Registry Domain ID: 2027086511_DOMAIN_COM-VRSN  
Registrar WHOIS Server: whois.comlaude.com  
Registrar URL: http://www.comlaude.com  
Updated Date: 2025-03-27T02:46:29Z  
Creation Date: 2016-05-09T22:38:37Z  
Registry Expiry Date: 2025-05-09T22:38:37Z  
Registrar: Nom-iq Ltd. dba COM LAUDE  
Domain Status: clientDeleteProhibited, clientTransferProhibited, clientUpdateProhibited  
Name Servers: NS1-04.AZURE-DNS.COM, NS2-04.AZURE-DNS.NET, NS3-04.AZURE-DNS.ORG, NS4-04.AZURE-DNS.INFO  

This misappropriation resulted in numerous SharePoint pages displaying unsolicited advertisements in place of their intended video content.

“This afternoon, a user reported a suspicious website on our intranet, that is using microsoftstream.com.
After some analysis, it turns out the domain is currently redirecting to a sketchy website signed by “Ibiza99”.,” a SharePoint administrator shared in a Reddit discussion.

“Interesting, I thought. I wonder how that could happen.So I jumped on to see the issue, site is using embedded video from an aspx page on the SharePoint layout. It is definitely showing spam,” confirmed another Reddit user.

Later that day, the domain was taken offline once more, and the malicious page ceased loading.

Microsoft has yet to clarify how the domain came under the control of unauthorized parties.

Fortunately, this incident was limited to spam and did not escalate into a more severe threat — such as the distribution of malware through fake updates or other social engineering tactics that could have been automatically loaded onto SharePoint pages.