Azure AD brute pressure bug PoC exploit revealed – this is what to do


A public proof-of-concept (PoC) exploit has been released for the Microsoft Azure Active Directory credentials brute forcing bug that was discovered by Secureworks and first reported by Ars. The exploit allows anyone to perform both username enumeration and brute force password enforcement on vulnerable Azure servers. Although Microsoft initially referred to the Autologon mechanism as a “design” option, it now appears that the company is working on a solution.

PoC script published on GitHub

Yesterday, a PoC exploit for “Password Spraying” for the brute forcing error of Azure Active Directory was published on GitHub. The PowerShell script, with just over 100 lines of code, is heavily based on earlier work by Dr. Nestori Syynimaa, Senior Principal Security Researcher at Secureworks.

POC just popped up for the SSO spray

– rvrsh3ll (@ 424f424f) September 29, 2021

According to the Counter Threat Unit (CTU) from Secureworks, it is quite easy to exploit the error, for example by brute-forcing users’ passwords, as the PoC shows. However, organizations that use conditional access policies and multi-factor authentication (MFA) can benefit from blocking access to services through username / password authentication. “So even if the threat actor is able to [a] Password of the user, possibly not [able to] to access the organization’s data, “Syynimaa told Ars in an email interview.

What can organizations do to protect themselves?

Although the Azure AD brute forcing issue was released this week after the Secureworks disclosure, it appears to have been previously known by some researchers, including researcher Dirk-jan:

Interestingly, I reported this exact problem to @msftsecresponse in December 2020. It’s kind of weird that other people get a different verdict on the same subject.

– Dirk-jan (@_dirkjan) September 28, 2021

Microsoft informed Ars that the technology demonstrated by Secureworks does not represent a security breach and that measures have already been taken to protect Azure users:


“We have verified these claims and determined that the described technology does not contain a security breach and safeguards are in place to ensure that customers remain safe,” a Microsoft spokesman told Ars. After reading the first article by Secureworks, Microsoft came to the conclusion that the endpoints described are already protected from brute force attacks, which protects users from such attacks.

In addition, according to Microsoft, tokens issued by the WS-Trust endpoint with user names do not provide access to data and must be returned to Azure AD in order to obtain the actual tokens. “All such requests for access tokens are then protected by Conditional Access, Azure AD Multi-Factor Authentication, Azure AD Identity Protection and appear in log-in logs,” Microsoft concluded in its statement to Ars.

However, Secureworks also shared additional insights it received from Microsoft following the release of its analysis this week that suggests Microsoft is working on a solution.

“First, the login event is recorded in the Azure AD login logs. Second, companies are given the option to enable or disable the endpoint in question. These should be available to businesses in the next few weeks, ”Syynimaa said Ars.

Security solutions architect Nathan McNulty previously reported that successful login events show up in login logs:

Amazing work from the Azure Identity team!

You have already added success monitoring logging for the WS-Trust MEX endpoint to the non-interactive login logs (no errors yet).

Get-AzureADAuditSignInLogs doesn’t seem to indicate it’s showing in the Graph API (good news for SIEMs) 🙂

– Nathan McNulty (@NathanMcNulty) September 29, 2021

Azure AD also has a “Smart Lockout” feature that automatically locks target accounts for a period of time if too many login attempts are detected.

“When blocked, the error message is always ‘blocked’, it doesn’t matter [of the password being correct or not]. As such, the function seems to effectively block brute force processes, ”Syynimaa shared with Ars.

Syynimaa advises companies looking for a workaround against this attack to adjust the number of failed authentications before enabling Smart Lockout and locking accounts. “If you set the value to a low value (like 3), you can also prevent passwords from being sprayed, but you can also lock accounts too easily during normal day-to-day use.” Adjusting the blocking time is another option.