The major vulnerability was discovered by a pair of security researchers, Ioannis Kakavas and Klemen Bratec, who reported it to Redmond on January 5. Microsoft fixed the problem the very same day, which is indeed impressive, but then a swift response was required given the gravity of the issue – and the organisations which were affected.
Redmond sealed up the vulnerability inside seven hours, and "handled the disclosure process admirably" according to Kakavas.
The hole was in the SAML (Security Assertion Markup Language) authentication system and potentially allowed a malicious party exploiting it to access the victim's Office 365 account and everything tied into it such as emails and OneDrive.
Initially the pair believed that this issue only affected Office 365 accounts using SAML 2.0 for cross domain web single sign-on, which was a very limited number of users, but with further probing the researchers found they could crack into the account of any user that had configured their domains as federated (except those with multi-factor authentication enabled).
And those vulnerable Office 365 accounts included BT, Vodafone, British Airways, Intel, IBM, Cisco and the Daily Mail to name a few.
The researchers have only just been given clearance to publish details of the affair, and the pair received a bug bounty reward which was reportedly close to the maximum Microsoft gives out ($15,000 – which is around £10,300, or AU$19,700).
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).