"MFA Bypass Bugs Opened Microsoft 365 to Attack"

Researchers have found bugs in the multi-factor authentication system used by Microsoft's cloud-based office productivity platform, Microsoft 365.  The flaws exist in the implementation of what is called the WS-Trust specification in cloud environments where WS-Trust is enabled and used with Microsoft 365.  Researchers say that WS-Trust is an “inherently insecure protocol.”  Microsoft's implementation of the standard gives attackers a number of ways to bypass multi-factor authentication and access cloud services.  The flaws could allow adversaries to carry out various attacks, such as real-time phishing and channel hijacking.

Threatpost reports: "MFA Bypass Bugs Opened Microsoft 365 to Attack"