Security concern regarding bypassing MFA when EWS is enabled.

Hi everyone,

Our customer (Using Exchange server 2013 standard in hybrid) has requested a support ticket regarding concerns over bypassing MFA and scraping mail. Details are in the links below.

• https://practical365.com/exchange-server/exchange-web-services-bypass-multi-factor-authentication/
• https://www.blackhillsinfosec.com/bypassing-two-factor-authentication-on-owa-portals/

They have disabled EWS however this causes issues with Skype and is not an option.

They would like to know officially if this bug going to be patched/fixed?

Has microsoft officially recognised this as an issue or is it of no real concern?