A new attack vector affecting Microsoft’s Bing.com has been identified by Wiz Research, which involves a widespread misconfiguration of Azure Active Directory (AAD). AAD is a cloud-based identity and access management (IAM) service that is Microsoft’s standard authentication method for Azure App Services and Azure Functions applications. Misconfigured apps are vulnerable to intrusion from a variety of sources, including malicious actors, who can exploit weaknesses to tamper with search terms and launch misinformation campaigns. Microsoft has quickly patched its susceptible apps and made changes to the way several AAD features work to reduce customer exposure, according to Wiz Research.
