IT Security

A public Proof-of-Concept (POC) exploit has been published on software development website GitHub which confirms there is a flaw in Azure AD that allows for brute-force attacks. This means attackers can make multiple attempts at guessing a username and password until credentials are accepted. Microsoft initially said this mechanism was deliberate, but have since seemingly back tracked. 

What is the vulnerability?

Firstly, a PoC (Proof-of-Concept) in this case simply refers to the possibility of a particular flaw being exposed.

The specific flaw exists in Microsoft Azure Active Directory - which is a cloud-based version of Active Directory that is used to manage domain users and computers – and reveals the possibility of being able to carry out brute-force attacks until a user’s credentials are guessed correctly. As Azure is cloud-based, once credentials are hacked, attackers could then access accounts and wreak havoc from there (including theft and deletion of data).

Research team Secureworks' Counter Threat Unit have confirmed that this particular flaw is quite easy to exploit. But companies that either have multi-factor authentication or Conditional access enabled may prevent this flaw from being exposed. This is due to the additional layer of security each technique deploys.

Should I be concerned?

This flaw has reportedly been known for a while, but has only come to light since Secureworks publicised it – so thousands of companies could potentially have been vulnerable to the brute-force attacks without knowing it.

Microsoft originally said that the technique demonstrated does not pose a security risk as there are measures in place to ensure Azure users are protected.

“We've reviewed these claims and determined the technique described does not involve a security vulnerability and protections are in place to help ensure customers remain safe and secure,” a Microsoft representative said.

What should you do as a business?

Following Microsoft’s attempt to reassure the public that the potential exploit is nothing to be concerned about, Secureworks then shared further information it had gathered, which indicated Microsoft are working on a solution to this flaw to try and close the security loophole. This is likely to be in the form of organisations being given the option to enable or disable the endpoint if/when it appears in the logs as an attempted sign-in.

There is also already an Azure AD feature enabled by default called ‘Smart Lockout’ that locks any accounts that have been subject to multiple failed log-in attempts. So this could also prevent attackers from brute-forcing user credentials.

In addition to this, your organisation should follow generic security best practices and consider implementing techniques such as Conditional Access, Azure AD Multi-Factor Authentication, and Azure AD Identify Protection.


Microsoft have certainly not covered themselves in glory with this oversight; the fact they were aware of the PoC exploit but didn’t think it was worth investigating or tightening up, is concerning.

However, this is another example that highlights the importance of making sure your company has the recommended security protocols and techniques configured to prevent potential cyber-attacks.

if you would like further advice or information on how to best protect your business, don’t hesitate to contact us.