Researchers at Secureworks Counter Threat Unit (CTU) have discovered a flaw in the protocol used by Azure Active Directory Seamless Single Sign-On Service (SSO). The usernamemixed endpoint utilized in Microsoft’s Seamless SSO authentication route, as well as other authentication methods like Pass-Through Authentication (PTA), have been confirmed as allowing brute-force attacks (repeated login attempts) without logging. If authentication fails, an error message is generated that could also aid an attacker in performing undetected brute-force attacks.
The primary issue is that the autologon service’s authentication step to Azure AD is not logged, which allows repeated login attempts. Therefore, any brute force attack that simply attempts numerous username and password combinations on the usernamemixed endpoint will similarly not be logged. There are no known fixes or workarounds as of the time of writing; Microsoft has stated that the usernamemixed endpoint is enabled for legacy authentication and it does not consider this lack of appropriate logging to require a patch.