Huge Amount of Sites Found in Certificate Transparency Logs

I'm keeping an eye on the certificate transparency logs[1] using automated scripts. The goal is to track domain names (and their variations) of my customers, sensitive services in Belgium, key Internet players and some interesting keywords. Yesterday I detected a peak of events related to the domain ''. This domain, owned by Microsoft, is used to provide temporary remote access to Windows computers[2]. Microsoft allows you to use your own domain but provides also (for more convenience?) a list of available domains. Once configured, you are able to access the computer from a browser:

In my logs, just for yesterday, I found 49610 entries based on the domain ''. In many cases, the first part of the FQDN reveals clearly the name of the company or the business (ex: 'clinic', 'health', etc). Amongst those sites, approximately 500 were alive and reachable from anywhere.

Be careful when you use this feature because your chosen FDQN can be disclosed in certificate transparency lists and they are not only watched by blue teams!


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

I will be teaching next: Reverse-Engineering Malware: Advanced Code Analysis - SANS Gulf Region 2022


712 Posts
ISC Handler
Sep 24th 2019

Sign Up for Free or Log In to start participating in the conversation!