Microsoft’s obscure ‘Self Service for Mobile’ Office activation

[German]Microsoft requires a product activation after installing. Users of Microsoft Office currently are facing trouble during telephone activation. After dealing with this issue, I came across another obscure behavior, Microsoft’s ‘Self Service for Mobile’ solution to activate Microsoft Office via mobile devices.


Advertising


Microsoft describes how to activate Microsoft Office 2013, 2016 and Office 365 within this document. There are several possibilities to activate an installed product, via Internet or via Telephone for instance. Activation by phone is required, if the maximum Internet activation threshold is reached.

But Office activation by phone fails

Within my blog post Office Telephone activation is no longer supported error I’ve addressed the basis issue. If a user re-installs Office, the phone activation fails. The activation dialog box shows the message “Telephone activation is no longer supported for your product“. Office actication wizard

Microsoft has confirmed this issue for Office 2016 users having a non subscriber installation. But also users of Microsoft Office 2010 or Microsoft Office 2013 are affected.

A blog reader posted a tip: Use Mobile devices activation…

I’ve posted an article Office 2010: Telefonaktivierung eingestellt? – Merkwürdigkeit II about the Office 2010 telephone activation issue within my German blog, back in January 2017. Then a reader pointed me within a comment to a Self Service for Mobile website. The link http: // bit.ly/2cQPMCb, shortened by bit.ly, points to a website https: // microsoft.gointeract.io/mobileweb/ (Link broken)… that provides an ability to activate Microsoft Office (see screenshot below).

Microsoft Product Activation

After selecting a 6 or 7 Digits entry, an activation window with numerical buttons to enter the installation id will be shown (see screenshots shown below). The user has to enter the installation id and receives the activation id – plain and simple. Some users commented within my German blog, that this feature works like a charm.


Advertising

Obscurity, conspiracy, oh my God, what have they done?

I didn’t inspect the posted link until writing last Fridays blog post Office Telephone activation is no longer supported error. My idea was, to mention the “Self Service for Mobile” page within the new article. I managed to alter the link to direct it to the English Self Service for Mobile language service site. Suddenly I noticed, that both, the German and also the English “Self Service for Mobile” sites uses https, but are flagged as “unsecure” in Google Chrome (see the screenshot below, showing the German edition of this web page.

The popup shown for the web site „Self Service for Mobile“ says, that there is mixed content (images) on the page, so it’s not secure. That catches my attention, and I started to investigate the details. Below are the details for the German version of the web site shown in Google Chrome (but the English web site has the same issues).

  • First of all, I noticed, that the „Self Service for Mobile“ site doesn’t belongs to a microsoft.com domain – in my view a must for a Microsoft activation page.
  • Inspecting the details, I found out, the site contains mixed content (an image contained within the site was delivered via http). The content of the site was also delivered by Cloudflare (I’ve never noticed that case for MS websites before).
  • The image flagged in the mixed content issue was the Microsoft logo, shown within the sites header, transferred via http.
  • The certificate was issued by Go Daddy (an US company) and ends on March 2017. I’ve never noticed, that Go Daddy belongs to Microsoft.

I came across Go Daddy during analyzing a phishing campaign months ago. A compromised server, used as a relay by a phishing campaign, has been hosted (according to Whois records) by Go Daddy. But my take down notice send to Go Daddy has never been answered. That causes all alarm bells ringing in my head, because it’s a typical behavior used in phishing sites. Also my further findings didn’t calm the alarm bells in my head.

  • The subdomain microsoft used above doesn’t belongs to a Microsoft domain, it points to a domain gointeract.io.
  • Tying to obtain details about the owner of gointeract.io via WhoIs ended with the following record.
Domain : gointeract.io
Status : Live
Expiry : 2021-03-14

NS 1   : ns-887.awsdns-46.net
NS 2   : ns-1211.awsdns-23.org
NS 3   : ns-127.awsdns-15.com
NS 4   : ns-1980.awsdns-55.co.uk

Owner OrgName : Jacada

Check for 'gointeract.sh' --- http://www.nic.sh/go/whois/gointeract.sh
Check for 'gointeract.ac' --- http://www.nic.ac/go/whois/gointeract.ac

Pretty short, isn’t it? No Admin c, no contact person, and Microsoft isn’t mentioned at all, but the domain has been registered till 2021. The Owner OrgName Jacada was unknown to me. Searching the web didn’t gave me more insights at first. Overall, the whole site looks obscure to me. The tiny text, shown within the browser’s lower left corner, was a hyperlink. The German edition of the „Self Service for Mobile“ site opens a French Microsoft site – the English site opens an English Microsoft site.

My first conclusion was: Hell, I was tricked by a phishing comment – somebody set up this site to grab installation ids of Office users. So I deactivated the link within the comment and I posted a warning within my German blog post, not to use this „Self Service for Mobile“ site. I also tried to contact the user, who has posted the comment, via e-mail.

… but “Microsoft” provides these links …

User JaDz responded immediately in an additional comment, and wrote, that the link shortened via bit.ly has been send from Microsoft via SMS – after he tried the telephone activation and selected the option to activate via a mobile device. I didn’t noticed that before – so my conclusion was: Hell, this obscure „Self Service for Mobile“ site is indeed related to Microsoft.

Then I started again a web search, but this time with the keywords Jacada and Microsoft. Google showed several hits, pointing to the site jacada.com (see screenshot below).

It seems that Jacada is a kind of service provider for several customers. I wasn’t able to find Microsoft within the customer reference. But I know, that Microsoft used external services for some activities.

Now I suppose, that somebody from Jacada set up the „Self Service for Mobile“ activation site. The Ajax code used is obviously able to communicate with Microsoft’s activation servers and obtain an activation id. And Microsoft’s activation mechanism provides an option to send the bit.ly link via SMS.

Closing words: Security by obscurity?

At this point I was left really puzzled. We are not talking about a startup located within a garage. We are having dealing with Microsoft, a multi billion company, that claims to run highly secured and trustable cloud infrastructures world wide. But what’s left, after we wipe of the marketing stuff?

The Office activation via telephone is broken (Microsoft confirmed that, after it was reported by customers!). As a customer in need to activate a legal owned, but re-installed, Microsoft Office is facing a nasty situation. Telephone activation is refused, the customers will be (wrongly) notified, that this option is no longer supported. Internet activation is refused due “to many online activations” – well done.

But we are not finish yet. They set up a „Self Service for Mobile“ activation site in a way, that is frequently used by phishers. They are sending links via SMS to this site requesting to enter sensitive data like install ids. A site that is using mixed content via https, and is displaying an activation id. In my eyes a security night mare.

But maybe I’ve overlooked or misinterpreted something. If you have more insights or an idea, or if my assumptions a wrong, feel free, to drop a comment. I will try to reach out and ask Microsoft for a comment about this issue.

Addendum: The 1st link is broken, but another reader (see comments below) posted the new link https://bit.ly/2NTU6Oe (https://microsoft.gointeract.io/interact/index?accountId=microsoft&appkey=196de13c-e946-4531-98f6-2719ec8405ce). The link points to a website, that provides an ability to activate Microsoft Office (go to Product Activation see screenshot above).

Similar articles
Office Telephone activation is no longer supported error
Warning: Microsoft Outlook app breaks (company) security
Flaw in webinar form reveals Microsoft customers names
Windows 7/8.1: Optional INTEL System driver updates
Surface Ethernet-Driver crashes virtualization


Advertising


This entry was posted in Office, Security and tagged , , , . Bookmark the permalink.

13 Responses to Microsoft’s obscure ‘Self Service for Mobile’ Office activation

  1. Pingback: Born: Office activation site controlled by a non-Microsoft company @ AskWoody

  2. Bob Lee says:

    Today we had a similar issue whereby Phone activation shows this warning “Telephone activation is no longer supported for your product”. This is required due to a change in machine for the user.

    Luckily Googling the error message led to a page where Microsoft provides a list of numbers that you can call based on the country you’re currently at.

    Calling Microsoft took less than 5 mins in total and our MS Office 2016 was activated again.

    But ya, I think the Self Service for Mobile activation method shouldn’t be there in the first place. It seems too troublesome to go through.

  3. One says:

    Self Service for moble did not work for me: After entering the Installation ID only a blank page appeared.

  4. Andes says:

    The link is no longer valid
    No good , Please update the link

  5. Jeremy Stuart says:

    Hi,
    I have been using the self service online activation for a few years now. I also got the sms from Microsoft (?) when doing the early stages of tlephone activation.
    The online service stopped working around 2 weeks ago approximately and I contacted Microsoft today on live chat – 1st June 2018 and they claim it is a 3rd party site and has nothing to do with Microsoft. My only question is, if the site was recommended from Microsoft when doing telephone activation, how can it be nothing to do with them? Are they suggesting their phone activation system was hacked? Quite possible. I know BTs call centres were infiltrated by the dreaded phone scam people because one of my clients phoned BT and after speaking with them the representative PASSED them on to someone claiming to be from Microsoft who then proceeded to try to scam them out of money for phoney advice about PC problems they didn’t have! What a world we live in, eh?!
    It’s such a shame that the online activation is no longer working as I used it regularly and it worked a treat and was so much more convenient than dialling the phone number and waiting whilst the phone voice repeats what you’ve heard a million times already (if you work in the trade) – sooooo boring and annoying.
    I think Microsoft should get on it and produce an activation by web service. I thought they were meant to be innovative?
    Anyhow, just wanted to post an update. Interestingly, there is very little about this web site online, I could only find about 4 mentions of it on some online forums, so perhaps not many people were using it. After activation you could leave feedback and I told them several times how brilliant I thought the service was…
    J Stuart – Midlands, UK. PC engineer.

  6. Advertising

  7. mark says:

    The product activation link says it is expired

  8. Tim says:

    Yeah, here we are once again…

    • guenni says:

      Yea, it’s the old question – better use free software. Obivously the link expired, letting users in the could. Currently also Windows activation servers are down (see here). I’m glad, my old Word 2000 licence need no activation.

Leave a Reply

Your email address will not be published. Required fields are marked *