The issue was reported to Microsoft by SecureWorks on June 29 although at least one other researcher, Dirk-jan Mollema, reported it to Microsoft last year. SecureWorks issued a private security advisory on Sept. 24, according to Ars Technica, which first reported about it. SecureWorks published the content of that private advisory in a public blog post on Wednesday.
SecureWorks says there’s a flaw in the protocol that is used as part of Azure Active Directory’s Seamless Single Sign-On feature.
“This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization’s tenant,” SecureWorks says.
An attack can be initiated remotely, says Nestori Syynimaa, who is a senior principal security researcher with the SecureWorks Counter Threat Unit. If a brute-force attack is successful, an attacker wouldn’t be able to get access to an MFA-enabled account, but not all organizations have MFA enabled, he says.
Also, Azure AD will give a sign that the password is valid. That means that even if MFA is enabled, an attacker will get password confirmation, he says. If the password has been reused on other services, that poses an account takeover risk.
Microsoft had initially told SecureWorks that Azure AD was working by design. But Syynimaa says that company indicated on Wednesday night that it will make two technical changes that drastically reduce the risk. That’s fortunate, as a proof-of-concept attack has emerged.