"New Azure Active Directory Password Brute-Forcing Flaw Has No Fix"

A bug recently discovered in the implementation of Azure Active Directory (AD) enables single-factor brute-forcing of a user's AD credentials. An attacker can have unlimited attempts at guessing a user's username and password as these attempts are not logged on to the server. The Secureworks Counter Threat Unit (CTU) research team discovered the flaw in the protocol used by the Azure AD Seamless Single Sign-On (SSO) service. According to the team, threat actors can use this flaw to perform single-factor brute-force attacks against Azure AD without the generation of sign-in events in the targeted organization's tenant. The lack of visibility into failed sign-in attempts is a problem as most security tools and countermeasures implemented to detect brute-force or password spraying attacks rely on sign-in event logs and look for specific error codes. This article continues to discuss findings surrounding the Azure AD password brute-forcing flaw.

Ars Technica reports "New Azure Active Directory Password Brute-Forcing Flaw Has No Fix"