Zero Day Quest Live Hacking Event 2025 (original) (raw)
As announced in the MSRC Blog, Securing AI and Cloud with the Microsoft Zero Day Quest, the Microsoft Zero Day Quest invites security researchers to discover and report high-impact vulnerabilities in Microsoft Copilot and Cloud Bounty Programs: Microsoft Azure, Microsoft Identity, M365, and Microsoft Dynamics 365 and Power Platform. This new program provides new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers to share, learn, and build community as we work to keep everyone safe.
Zero Day Quest has two distinct opportunities:
- A Research Challenge (open to everyone) - Closed
- An onsite Live Hacking Event (invite only) - Closed
The Zero Day Quest Live Hacking Event is Microsoft’s inaugural security research-focused event and celebration to be hosted onsite at the Microsoft Campus in Redmond, Washington in April, 2025. This event will foster new and deepening existing partnerships with MSRC, product teams, and external researchers, raising the security bar for all.
This is an invite-only event extended to Microsoft’s top 10 ranked researchers from each of the 2024 Quarterly and 2024 Annual Azure, Dynamics, and Office Leaderboards. Researchers who were not ranked on leaderboards were also given the opportunity to qualify for the event through the Zero Day Quest Research Challenge which ran between November 19, 2024 and January 19th, 2025.
NOTE: Researchers who have not received an invitation to this event are not eligible for the awards listed below.
The Zero Day Quest Live Hacking Event was invite-only and ran from 12:00 AM Pacific Time, March 3, 2025, through 11:59 AM Pacific Time, April 3, 2025.
The Live Hacking Event will be subject to the terms of our bounty program, outlined in the Microsoft Bounty Terms and Conditions,our bounty Safe Harbor policy, and additional terms and conditions for the Research Challenge. First-time researchers are encouraged to review the MSRC Researcher Resource Center as well as the definitions surrounding eligible submissions, in-scope, and out-of-scope vulnerabilities before getting started. This information can be found in the respective bug bounty programs listed below.
Bounty Programs in Scope:
OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES
Please refer to the out-of-scope sections of the following bounty programs, Copilot, Azure, Identity, M365, Dynamics & Power Platform.
Bounty multipliers for the categories below will be applied to valid, Important or Critical severity issues that align with the existing Microsoft Copilot, Azure, Identity, M365, and Dynamics & Power Platform Programs. These bonuses are effective only for the duration of the Live Hacking Event.
*If you submit a valid issue that is eligible for both General Award multipliers and High Impact Scenario multipliers, then you will receive the High Impact Scenario multiplier.
NOTE: Please refer to specific bounty program terms for eligible in-scope vulnerabilities and reward amounts. These multipliers are valid only for the invite-only Zero Day Quest Live Hacking Event.
We’re launching a series of time-sensitive challenges with hidden flags for our researchers to uncover! The first researcher to capture a flag in any of the scenarios listed below will earn an exclusive one-time award. This award is standalone and will not be combined with the base bounty and multiplier.
The SharePoint Online and Exchange Online flash challenges ran from 09:00 AM Pacific Time, March 20, 2025, through 11:59 AM Pacific Time, April 3, 2025.
The Copilot flash challenge ran from 10:00 AM Pacific Time on March 26, 2025, through 11:59 AM Pacific Time on April 3, 2025.
TARGET INFORMATION
- Products: SharePoint Online and Exchange Online
- Users in this tenant have Teams Enterprise + Microsoft 365 E5 licenses.
- Your credentials and high-level tenant details have been emailed to you directly!
- Product: Copilot
- Access Microsoft Copilot here and log in or register for a personal account.
OUT OF SCOPE
For the SharePoint Online and Exchange Online challenges, please refer to the out-of-scope section for the M365 Bounty Program, in addition to the following:
- Cross Site Scripting vulnerabilities
- Vulnerabilities found in on-prem versions of the application
- Vulnerabilities requiring user interaction or significant preconditions
- Vulnerabilities relying on third party code or extensions
- Vulnerabilities relying upon email spoofing
For the Copilot challenge, please refer to the out-of-scope section for the Copilot Bounty Program.
SHAREPOINT ONLINE CHALLENGE SCENARIOS & AWARDS
| Scenario | Award |
|---|---|
| Authentication Bypass - Cross TenantStarting as a user outside the https://a830edad90508494k1gobawlzjg.sharepoint.com/ tenant, access the contents of the document at this URL: https://a830edad90508494k1gobawlzjg-my.sharepoint.com/personal/admin_a830edad90508494k1gobawlzjg_onmicrosoft_com/Documents/x-tenant%20flag.docx | $100,000 |
| Authorization Bypass - Within TenantStarting as a user within the https://a830edad90508494k1gobawlzjg.sharepoint.com/ tenant, access the contents of the document at this URL: https://a830edad90508494k1gobawlzjg-my.sharepoint.com/personal/admin_a830edad90508494k1gobawlzjg_onmicrosoft_com/Documents/flag.docx | $50,000 |
| SQL InjectionExfiltrate the contents of an entire table from SharePoint's internal database system. | $50,000 |
| Remote Code ExecutionLaunch a process in the SharePoint Online backend with a command line that contains this GUID: 6e77e3dc-966a-4e4b-9571-9847830c78ff | $25,000 |
| Arbitrary File WriteWrite a file to the SharePoint Online filesystem with the following file name: 1f767325-fcc9-4693-aa3e-537a62ae9987.dll | $25,000 |
| High-Privileged Entra Token LeakCapture an Entra token issued to a Microsoft first-party application that grants app-only access to SharePoint content, directly or through MS Graph. This must be a token issued to an app owned by Microsoft, not an app that you developed yourself. Entra tokens can be decoded at https://jwt.ms. An app-only token has these properties:No xms_spcu claimOne or more of the following:idtyp claim = "app"oid claim value matches the sub claim valuever claim = "service_asserted_app_v1" For direct SharePoint access: aud claim = "00000003-0000-0ff1-ce00-000000000000"For SharePoint content access via MS Graph: aud claim = "https://graph.microsoft.com/"Roles claim contains any Sites.* or Files.* roles | $15,000 |
EXCHANGE ONLINE CHALLENGE SCENARIOS & AWARDS
| Scenario | Award |
|---|---|
| Authentication Bypass - Cross TenantStarting as a user outside the a830edad90508494k1gOBawLZjg.onmicrosoft.com tenant, find the flag shared in an email between the nick@ and shield@ users | $100,000 |
| Authorization Bypass - Within TenantStarting as a user within the a830edad90508494k1gOBawLZjg.onmicrosoft.com tenant, find the flag shared in an email between the nick@ and shield@ users | $50,000 |
| Remote Code ExecutionLaunch a process in the Exchange Online backend with a command line that contains this GUID: c5e20784-2f96-4d65-8946-2c7c53bb2997 | $25,000 |
| Authorization Bypass - Within TenantStarting as a user within the a830edad90508494k1gOBawLZjg.onmicrosoft.com tenant, add a calendar event with the title or description as 38cb95b5-17a8-46af-9e89-9a2e91ae6733 to the shield@ user account. The calendar invite must show as originating from shield@, the invite cannot simply be sent to the user. | $15,000 |
COPILOT CHALLENGE SCENARIO & AWARD
| Scenario | Award |
|---|---|
| Access another user's conversation historyUsing your own personal test account (MSA), gain access to the user's (user id: ugDgZrfx1NLm4yAbLAJh3) conversation history. | $50,000 |
The goal of the bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers using the latest version of the application.
Vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Identify a vulnerability that was not previously reported to, or otherwise known by, Microsoft.
- Such vulnerability must be of previously unreported Critical or Important severity and must reproduce in one of the in-scope products or services.
- Include clear, concise, and reproducible steps, either in writing or in video format, providing our engineering team with the information necessary to quickly reproduce, understand, and fix the issues
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria. For additional details, please refer to the specific Microsoft Copilot, Microsoft Azure, Microsoft Identity, M365, and Microsoft Dynamics 365 and Power Platform bounty program page.
Submit through the MSRC Researcher Portal and follow the instructions.
Please include the following in your submissions:
- ZDQ in the title of your submission
- Targeted bonus categories
- Full proof of concepts
- Videos will assist in increasing the timeliness of the assessment of your submissions
If you discover customer or Microsoft data while conducting your research, or are unclear if it is safe to proceed, please stop and contact us at bounty@microsoft.com. The following are not permitted:
- Gaining access to any data that is not wholly your own.
- For example, you are allowed and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access the data that is not your own.
- Moving beyond “proof of concept” repro steps for server-side execution issues
- For example, proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not).
- Any kind of Denial of Service testing.
- Performing automated testing of services that generates significant amounts of traffic.
- Attempting phishing or other social engineering attacks against others, including our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services.
- Using our services in a way that violates the terms for that service.
Please see the specific bounty program for additional details. Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.
To help you with your Zero Day Quest submissions, check out sessions from the AI Red Team, Microsoft Security Response Center, and Dynamics teams: