The domain once used by Microsoft Stream Classic, microsoftstream.com, was hijacked on March 27 and redirected to a fake Amazon-themed site promoting a Thailand-based online casino.
For several hours, organizations relying on legacy video embeds in SharePoint saw those videos replaced by gambling ads. The incident occurred over a year after Microsoft officially retired Stream Classic, exposing how outdated links tied to long-decommissioned services can quietly become liabilities.
These video embeds, still common in many intranet portals, were originally configured to point to Stream Classic before Microsoft shifted its video hosting architecture to SharePoint. The hijacked redirect affected internal training pages, dashboards, and other enterprise content. The spam was eventually taken down, but not before it raised red flags among SharePoint admins and security observers.
According to BleepingComputer, WHOIS records confirm that changes to the domain were made on the same day the redirect appeared—March 27. Microsoft responded by stating, “We are aware of these reports and have taken appropriate action to further prevent access to impacted domains.” However, no technical explanation has been offered regarding whether the company lost control of the domain or allowed it to lapse.
The redirect was captured and archived by the Wayback Machine. You can view the archived version of the hijacked domain as it appeared that day.
Admins Discover Spam Injected into SharePoint Layouts
Initial reports surfaced on Reddit, where one administrator wrote: “This afternoon, a user reported a suspicious website on our intranet, that is using microsoftstream.com. After some analysis, it turns out the domain is currently redirecting to a sketchy website signed by ‘Ibiza99’.”
Another user echoed the concern in a separate thread, writing that the “SharePoint site was showing spam instead of embedded videos… using embedded video from an aspx page on the SharePoint layout.” A different admin noted: “It is definitely showing spam.”
The structure of these embeds means injected spam appeared inside trusted corporate environments. While no malware was observed, the visual disruption alone introduced reputational and usability concerns, especially in sensitive internal communications spaces.
Stream Classic Was Still Used by Many Organizations
Stream Classic was first launched in 2016 as a video hosting service for businesses using Office 365. As Microsoft gradually overhauled its content services, it announced that Stream Classic would be phased out. The company gave customers years to prepare for the transition to SharePoint-based video hosting through a new version called Stream (on SharePoint).
Official guidance from Microsoft advised organizations to migrate their video content and update embedded links well ahead of the deprecation date. This process was detailed last year in Microsoft’s Stream Classic to SharePoint migration documentation. Despite these warnings, many enterprises left their embedded links unchanged, resulting in dormant references to the now-hijacked domain.
While Microsoft had initially announced retirement plans in 2020, Stream Classic was officially retired on February 15, 2024. Notably, microsoftstream.com was still pointing to Microsoft login pages as recently as late 2023, suggesting the domain had been functioning normally until shortly before the hijack occurred.
Hijack Highlights Lingering Risks of Legacy Infrastructure
For companies that successfully migrated to Stream (on SharePoint), the hijack likely went unnoticed. But for those still relying on unupdated embeds, the incident turned internal content into an unintended promotional vehicle for online gambling.
The broader implication is clear: legacy links tied to decommissioned services can linger for years, often without oversight. When those domains fall out of corporate control, they can be repurposed in ways that compromise trust, even if the redirect is relatively harmless.
Adding to the concern, a report published by KnowBe4 on March 27 revealed a surge in phishing campaigns that hijack legitimate Microsoft communications—like invoice emails—and use mail flow rules to mass-forward them. Although unrelated to the Stream incident, it illustrates the growing trend of exploiting trusted Microsoft branding to bypass security controls.
The Stream hijack didn’t involve credential theft or malware injection, but it created an opening for those tactics. With embedded video content now a core part of internal corporate infrastructure, even deprecated services have a long shadow. Organizations that rely on trusted branding—especially Microsoft 365 customers—may need to revisit old embeds, not just out of caution, but to ensure control over what shows up on their internal pages tomorrow.
