2 min

Picture for a moment a scenario where you have as many attempts as you want to get a username and password right without getting caught. That is the kind of scenario threat actors look for, leaving admins with little to no visibility into the actions, let alone a way to stop them.

A newly discovered bug in the Microsoft Azure Active Directory implementation allows the hypothesis we just mentioned to become reality. That means hackers can use single-factor brute-force to breach a user’s AD credentials.

These attempts to enter the username and password aren’t logged in the server, making the actions of a hacker invisible.

What Secureworks found

Researchers at Secureworks Counter Threat Unit (CTU) found a flaw in the protocol that enables Azure Active Directory Seamless Single Sign-On service in June this year.

The researchers explain that the flaw allows threat actors to initiate single-factor brute-force attacks against Azure AD without generating events (logs) in the target host’s systems. In the same month, Secureworks reported the flaw to Microsoft, which confirmed that this behavior existed, adding that it was ‘by design.’

This month, Secureworks is alerting its customers to the flaw. Azure AD Seamless SSO service automatically signs users into their corporate devices connected to their organization’s network.

Who the flaw affects

When Seamless SSO is on, users will not have to type their passwords or even usernames to sign in to Azure AD. Microsoft explains that this feature gives users easy access to their cloud-based apps without needing additional on-premises components.

Like many Windows services, the Seamless SSO service relies on a protocol called Kerberos for authentication.

It’s not just organizations using Seamless SSO that face the flaw. Any Azure AD or Microsoft 365 organization, including those using Pass-through Authentication is affected. The unaffected users comprise those who don’t use Azure AD.