Note: A special thanks to Ed Gibbs, WhoisXML API’s Advanced Threat Researcher & Technical Account Manager, for his help compiling the intelligence covered in this post.

Intranets are by definition meant for internal use only—employee communication, content management, and the like. They are part of the Deep Web where search engines can’t index sites, and unauthorized people shouldn’t be able to access them.

So why do we see dozens of what seemingly are intranet subdomains resolving to accessible pages?

We retrieved a list of subdomains that begin with the words “intranet” and “sharepoint” using Domains and Subdomains Discovery. The lists contained more than 20,000 subdomains, which we ran on Screenshot API to see what they look like when accessible. Below are our findings.

Examining Intranet Subdomain Resolutions

Our scrutiny of the screenshots led us to believe that the intranet has evolved to also mean extranet for some organizations. While an intranet is an internal network accessed by employees within the same network, an extranet refers to a private network where third parties can also communicate with an organization.

We cite the World Health Organization (WHO) as an example. The subdomain intranet[.]who[.]int was among those returned by Domains and Subdomains Discovery. This is what the page looks like, according to Screenshot API. There are three types of users—WHO employees, Pan American Health Organization (PAHO) staff, and external partners.

One reason why several intranet pages are accessible through the Internet could be that they also serve as an extranet for partners.

Three Subdomain Resolutions That Stood Out

While more than 2,000 subdomains resolved to live web pages, we can place most of them into three broad categories. These subdomains resolve to the following:

Intranet Login Pages

Most of the subdomains resolve to organizations’ intranet login pages, such as intranet[.]2business[.]co[.]mz, intranet[.]acj[.]es, and intranet[.]acumed[.]es. Below are a few examples of the screenshots.

Making these login pages available over the Internet widens the attack surface of the organizations that own them. Threat actors could instigate a brute-force attack or social engineering campaign to hack into some of these intranets successfully.

Microsoft and Google Account and Login Pages

A few of the subdomains resolved to Google account login pages when crawled by Screenshot API. However, an actual visit to some of them revealed 404 pages, including these subdomains:

• intranet[.]accemy[.]com
• intranet[.]advancebkg[.]com
• intranet[.]wmu[.]se
• intranet[.]witellsolutions[.]com
• intranet[.]widmer[.]bz

Another subdomain whose screenshot shows a Google account login page is intranet[.]activateleadership[.]co[.]za. Unlike the subdomains listed above, this subdomain redirects to a Google login URL flagged for phishing on VirusTotal.

Some subdomains also redirected to Microsoft login pages. However, among those that stood out are intranet[.]alisonbrooksarchitects[.]com and intranet[.]windcarrier[.]com since they redirect to suspicious Microsoft URLs beginning with login[.]microsoftonline[.]com, a Microsoft subdomain that has been used in phishing campaigns to deliver a malicious payload. WHO’s intranet login page for external partners redirects to a similar Microsoft login page, which is also tagged “suspicious.”

Unauthorized, Access Denied, or Home Page Resolutions

Several intranet subdomains are inaccessible and may have implemented IP address whitelisting. Examples of these are:

• intranet[.]aiurarquitectura[.]com
• intranet[.]aiohawaii[.]com
• intranet[.]alexsys[.]co[.]uk
• intranet[.]wormbins[.]com

Several Sharepoint subdomains also denied access, such as those shown below.

On the other hand, other organizations have set up subdomains to redirect to their home pages or other public web pages. Intranet[.]zlobki[.]waw[.]pl, for example, redirects to zlobki[.]waw[.]pl, while sharepoint[.]sfonline[.]org also redirects to the Signal Financial’s home page.

We also noticed an example where the subdomain intranet[.]alliexexpress[.]com resolves to best[.]aliexpress[.]com. Note the double “l” and “ex” in the first Internet property whereas the one it resolves to only has one “l” and “ex.”

When many organizations’ workforces still work remotely, it may be challenging to keep intranets away from the Internet. Some organizations may also need to use extranets to give other stakeholders internal access.

In doing so, cybersecurity measures must remain part of their strategy. The subdomain screenshots we uncovered in our short analysis show that some organizations may need to hide their intranets better.

If you’re a cybersecurity researcher interested in the subdomains featured in this study, feel free to contact us. We are open to research collaboration.