New Azure AD Bug Lets Hackers Brute-Force Passwords Without Getting Caught (06th October 2021)

Ref# AL2021_33 | Date: Oct 6th 2021

Cybersecurity researchers from Secureworks Counter Threat Unit (CTU) have discovered an unpatched security vulnerability in the protocol used by Microsoft Azure Active Directory that potentially allows attackers to stage undetected brute- force attacks.


Microsoft Azure Active Directory is a cloud-based identity and access management solution outline for single sign-on (SSO) and multi-factor authentication. Its also a central component of Microsoft 365, with capabilities to provide authentication to other applications via OAuth.

Researchers from Secureworks CTU noticed the security flaw allows threat actors to carry out single-factor brute-force attacks against Azure Active Directory (Azure AD) without creating sign-in events in the targeted organization”s tenant.

How it works

The flaw resides in the Seamless Single Sign-On feature that allows employees to automatically sign on when using their corporate devices that are connected to enterprise networks without having to enter any passwords. Seamless SSO has an opportunistic feature for various benefits, where if the process fails, the login falls back to the default behaviour, where the users need to enter their password on the sign-in page.

To accomplish this form of attack, the structure relies on the Kerberos protocol to look up the corresponding user object in Azure AD and issue a ticket-granting ticket (TGT), allowing the user to access the resource. For users of Exchange Online with Office clients older than the Office 2013 2015 update, authentication is carried through a password-based endpoint called UsersNameMixed that can generate an access token or an error code depending on whether the credentials are valid.

Based on observations, these error codes are where the flaw stems from. Although successful authentication events create sign-ins logs upon sending the access

tokens, Autologon”s authentication to Azure AD is not logged thus enabling undetected brute-force attacks through the UserNameMixed endpoint.

For more information on this vulnerability, kindly follow this URL: force-attacks


Currently, there is no detailed patch available for this kind of vulnerability. However, Microsofts plan in weeks to come is to add logging to the Seamless Single Sign-On endpoint to ensure that all authentication and authorization show up in the logs which include successful, failed and abandoned sign in attempts.

As it relates to Brute-Force password spray attacks, the endpoint is protected with Azure AD Smart Lockout and IP lockout capabilities. These measures will allow customers to be able to respond to such attacks.
PDF Download: New Azure AD Bug Lets Hackers Brute Force Passwords Without Getting Caught.pdf