We have done our best to investigate and find out what the oot.rs domain is used for and who owns it.
One of our team first spotted this domain name when performing an MFA request via a Microsoft URL, they received the normal MFA text message and code with this domain name listed also. It seems to be some form of timed URL as it only lasted for a short period of time. This is the first time we have seen it ourselves.
The lookups performed by users on URL Scan seem to backup this theory of a timed URL, if you check here ( https://urlscan.io/search/#page.domain%3Aoot.rs ) you can see all the domain lookups are very similar.
There is very little information online about this domain name, the only useful post we could find was this one on Reddit.
The domain name is not owned or registered by Microsoft, which is strange as usually in Microsoft text messages you get a Microsoft owned domain name.
The who is lookup for oot.rs domain name is shown below.
The domain was registered by a company called mCloud doo and their website is mcloud.rs and they are a hosting company based in Serbia. We cant find any link between Microsoft and mCloud doo.
On the domain name lookup for oot.rs we can see that the domain registrant was a company called Infobip doo and this company does work with Microsoft and provides MMS/SMS messaging services, so this may well explain the link on the text message we had.
After a bit more investigation work we found that Infobip are subprocessors authorized to access both customer data and personal data contained within in Microsoft’s Online Services in the United Kingdom – as mentioned in this 2021 document. They appear in many parts of the official Microsoft website including here.
Our final thoughts on this are that this company who registered the domain is working with Microsoft, and the displaying of the clickable link on the MFA text messages appears to be a one off random occurrence that people get, maybe some form of misconfiguration at Microsoft’s or the supplier end.
As ever, if you have any further thoughts on this please let us know.
Blogger at www.systemtek.co.uk