[tgv]

Well, your "legacy non production test tenant" can be opened by just guessing passwords, and it allows access to "very much in use production non-test" tenants, then you could say MS has a vulnerability. It may not be a buffer overflow, but it is a vulnerability nonetheless.

[booi]

Yes, and I think most people would consider it a vulnerability if an authentication system doesn't rate-limit or otherwise slow/stop "password spray" attacks.

[oezi]

You can rate limit individual users but password spray attacks use a large number of accounts to remain undetected in a authentication system used by an even more users.

[Jedd]

{rolls eyes}

This is precisely the kind of 1990's level basic heuristic that this company cites as part of their Sentinel security system.

Trying to excuse a breach by 'the attacker tried a few passwords against lots of different accounts' is not compelling.

[mattigames]

We are getting 10000x times the number of wrong passwords than average, I'm sure it's nothing to worry about.

[Towaway69]

It was a legacy test system connected to a production system so it doesn't count. Obviously. /s