On November 2nd, researchers from Black Hills Information Security disclosed a technique for bypassing multi-factor authentication on Outlook Web Access. To be clear, this is not a vulnerability or defect in Duo’s service, but rather, it is a defect in Microsoft Exchange Web Services. Customers using Duo’s OWA integration should be sure to follow recommendations here and here to ensure they are not using an unsafe configuration of OWA.
Read more in this blog post from Duo Labs’ Mike Hanley.
