New Azure AD Bug Lets Hackers Brute-Force Passwords Without Getting Caught

Cybersecurity researchers have disclosed an unpatched security vulnerability in the protocol used by Microsoft Azure Active Directory that potential adversaries could abuse to stage undetected brute-force attacks.

“This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory without generating sign-in events in the targeted organization’s tenant,” researchers from Secureworks Counter Threat Unit said in a report published on Wednesday.

Azure Active Directory is Microsoft’s enterprise cloud-based identity and access management solution designed for single sign-on and multi-factor authentication.

The weakness resides in the Seamless Single Sign-On feature that allows employees to automatically sign when using their corporate devices that are connected to enterprise networks without having to enter any passwords.

To achieve this, the mechanism relies on the Kerberos protocol to look up the corresponding user object in Azure AD and issue a ticket-granting ticket, permitting the user to access the resource in question.

Secureworks said it notified Microsoft of the issue on June 29, only for Microsoft to acknowledge the behavior on July 21 as “By design.” We have reached out to the company for further comment, and we will update the story if we hear back.

Follow Us

Contact a Specialist

Discover why 1,000+ organizations trust our expertise to improve their cybersecurity.

Recent Posts