New Azure AD Bug Lets Hackers Brute-Force Passwords Without Getting Caught


Microsoft azure active directory

Cybersecurity researchers have disclosed an unpatched security vulnerability in the protocol used by Microsoft Azure Active Directory that potential adversaries could abuse to stage undetected brute-force attacks.

“This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization’s tenant,” researchers from Secureworks Counter Threat Unit (CTU) said in a report published on Wednesday.

Azure Active Directory is Microsoft’s enterprise cloud-based identity and access management (IAM) solution designed for single sign-on (SSO) and multi-factor authentication. It’s also a core component of Microsoft 365 (formerly Office 365), with capabilities to provide authentication to other applications via OAuth.

Read more…