[juggertao]

They mention it was a password spray guess.

[paxys]

My point is that if one can guess the password on a random test box and through that gain access to critical internal systems, you have lost the right to call your system "not vulnerable".

[deelowe]

I'm guessing they don't know what a password spray is?

[tommica]

What is it? Just spam a form with passwords?

[tgv]

Well, your "legacy non production test tenant" can be opened by just guessing passwords, and it allows access to "very much in use production non-test" tenants, then you could say MS has a vulnerability. It may not be a buffer overflow, but it is a vulnerability nonetheless.

[booi]

Yes, and I think most people would consider it a vulnerability if an authentication system doesn't rate-limit or otherwise slow/stop "password spray" attacks.

[oezi]

You can rate limit individual users but password spray attacks use a large number of accounts to remain undetected in a authentication system used by an even more users.

[Jedd]

{rolls eyes}

This is precisely the kind of 1990's level basic heuristic that this company cites as part of their Sentinel security system.

Trying to excuse a breach by 'the attacker tried a few passwords against lots of different accounts' is not compelling.

[mattigames]

We are getting 10000x times the number of wrong passwords than average, I'm sure it's nothing to worry about.