Microsoft downplays Azure AD design flaw enabling single-factor brute-force attacks [Update]

A login screen on Windows asking for security key

Cybersecurity is a constant battle between corporations implementing defensive mechanisms and malicious actors who are evolving to break them. This is even more problematic when a software developed by a big organization such as Microsoft is used by thousands of firms around the globe. Just a month ago, we learned that there is a now-patched flaw in Azure Cosmos DB, which potentially gave unrestricted access to data belonging thousands of corporations. Now, security researchers are issuing warnings about an alleged design weakness in Azure Active Directory (AAD) that allows single-factor brute-force attack.

As spotted by UK publication Computing, a security bulletin by researchers over at Secureworks Counter Threat Unit (CTU) indicates that there is a flaw in AAD which allows attackers to attempt single-factor brute-force attacks on a tenant. While this is problematic on its own, CTU also says that none of the sign-in events are logged. The security team says that Azure AD uses Windows' Kerberos protocol to provide seamless single sign-on (SSO), as shown in the diagram below:

A graphic showing the flow of SSO in Azure AD

While there is no problem in the flow above, CTU says that there is also an intermediate autologon usernamemixed endpoint that is utilized for username and password authentication. Its flow is as follows:

A graphic showing the flow of AAD autologon usernamemixed endpoint

CTU points out that even though logs are generated for successful sign-in at the end of step 3, there are no logs at all during step 2 when autologon is authenticating credentials. What this essentially means is that an attacker can use the usernamemixed endpoint for single-factor brute-force attacks and an organization won't know that they are being targeted. The malicious actor could eventually be able to sign in without there being a trace of their failed attempts. Since thresholds for auto-lockouts are based on logs, no mechanism against multiple failed login attempts is triggered either. CTU further described that:

CTU analysis indicates that the autologon service is implemented with Azure Active Directory Federation Services (AD FS). Microsoft AD FS documentation recommends disabling internet access to the windowstransport endpoint. However, that access is required for Seamless SSO. Microsoft indicates that the usernamemixed endpoint is only required for legacy Office clients that predate the Office 2013 May 2015 update.

The exploitation is not limited to organizations using Seamless SSO. Threat actors can exploit the autologon usernamemixed endpoint in any Azure AD or Microsoft 365 organization, including organizations that use Pass-through Authentication (PTA). Users without an Azure AD password are not affected.

SecureWorks CTU reported the apparent flaw to Microsoft on June 29 and the company confirmed the existence of this behavior on July 21. However, the Redmond tech giant interestingly stated that this is the intended behavior and not really a flaw. The obvious implication is that the company won't be taking any steps to fix it.

CTU has concluded that there are no known mitigations to block the endpoint if you want to do seamless SSO on AAD. The security team says that multi-factor authentication (MFA) and conditional access (CA) are ineffective because they are applied after successful authentication. We have reached out to Microsoft for further clarification on the matter and will update when the company responds.


Update: In a statement to Neowin, Microsoft has confirmed that the company already has other protections in place to mitigate brute-force attacks. A spokesperson stated that:

We’ve reviewed these claims and determined the technique described does not involve a security vulnerability and protections are in place to help ensure customers remain safe and secure.

Microsoft has also emphasized that the usernamemixed endpoint does not directly give access to data either. Access tokens are further protected by MFA, CA, and AAD Identity Protection and are shown in sign-in logs.

Report a problem with article
Nintendo Switch OLED with joycon
Next Article

Nintendo shoots down the Switch Pro 4K rumor... again

Previous Article

You can get five years of Ivacy VPN for just over a dollar a month

14 Comments - Add comment

Advertisement