According to cybersecurity researchers, potential adversaries might leverage an unpatched security weakness in the protocol used by Microsoft Azure Active Directory to conduct undetected brute-force attacks.
Threat actors can use this vulnerability to launch single-factor brute-force attacks against Azure Active Directory (Azure AD) without triggering sign-in events in the tenancy of the targeted enterprise.
Azure Active Directory is the enterprise cloud-based identity and access management (IAM) solution from Microsoft. It is designed for SSO (single sign-on) and multi-factor validation. It’s also a key feature of Microsoft 365 (previously Office 365), enabling OAuth authentication to other apps.
The flaw is in the Seamless Single Sign-On function, which enables employees to sign in instantly while using business devices linked to corporate networks without inputting any passwords.
To achieve this, the process uses the Kerberos protocol to search for the matching user object in Azure AD and provide a ticket-granting ticket (TGT), allowing the user to access the requested resource.
However, for users of Exchange Online who have Office clients older than the Office 2013 May 2015 upgrade, the authentication is handled by “UserNameMixed,” a password-based API that provides an error code or access token depending on whether the credentials are acceptable.
It is these error codes that are the problem’s source. While successful authentication events generate sign-in logs when access tokens are sent, “Autologon’s authentication to Azure AD is not reported,” allowing brute-force cyberattacks through the UserNameMixed endpoint to go unnoticed.
When questioned about the situation, Microsoft stated that they have investigated the allegations and found that the approach described does not entail a security weakness and that safeguards have been put in place to keep users safe and secure.
Microsoft further highlighted that the APIs above are already protected against brute-force attacks. The tokens given by the UserNameMixed API do not grant access to data. They must be submitted back to Azure AD to acquire the genuine tokens.
