The flaw was discovered in June by Counter Threat Unit (CTU, but not that of 24 h Chrono) researchers from SecureWorks. It “ allows malicious actors to carry out single-factor brute force attacks against AAD without generating connection events ”, when the Seamless Single Sign-On service is enabled .
In short, this means that hackers can try as many times as they want to guess a password. The infrastructure does not log attempts, letting them do it and start over without anyone being alerted.
The problem, according to the researchers, lies in the use made of the Kerberos protocol, often used by Microsoft for everything related to SSO. As explained by Ars Technica, some predicted error codes are incorrectly recorded, paving the way for attack scenarios.
According to the researchers, the mechanism could be used in any which company using Microsoft 365 or Azure Active Directory, including those using Pass-through Authentication (PTA).
However, SecureWorks only classifies this vulnerability as “medium” dangerousness. Ease of operation actually stems directly from the complexity of the password: just because a breach allows brute force to do so does not mean that a word will be easily found. Brute force attacks are expensive.
Still according to the researchers, Microsoft would have responded that this was intended behavior. In other words, it wouldn’t be a bug, but a function. The company did not respond to requests from Ars Technica.
