Microsoft don't require TOTP for access to their corporate e-mail accounts and systems, or do they have an unpatched vulnerability where the requirement for TOTP can be bypassed?
When I was last there (almost a decade ago!) they sure did.
Microsoft has been under attack by state actors for decades now, their security teams work hard to keep things together but even a company like Microsoft will fail when literally every large country is attacking them 24/7, including going so far as to get spies hired into the company.
Microsoft was historically very locked down internally, unlike Google where all source code was visible to everyone, Microsoft had (may have changed not sure) product code based cordoned off.
As for bypassing TOTP, does TOTP provide any security if running on a cell phone and the cell phone is rootkitted?
This is really not true. Googles security posture is much more modern.
Microsoft had its signing key taken by the Chinese. That simply shouldn't be possible. They have repeatedly had breaches and in some cases comically bad holes in azure / email products / internal corporate products etc etc
A rooted phone would be enough to gain access without needing to brute force guess passwords. The rooted phone could just force a prompt for the user to supply their password again for an application such as Teams, and this password could then be captured as well as the key used to derive new TOTP values.
Hence there is seemingly some other weakness allowing login to a corporate Microsoft e-mail account. For example, a method to enrol a second/additional TOTP generator by only knowing an account password and not needing to supply an existing TOTP code. Or a "lost my phone that generates TOTP codes" recovery process. Or for example, a Kerberos ticket accepted by Exchange can be obtained using a method that only needs a valid password and not a TOTP code?
Again I’ll ask, why does the US allow backbone providers to maintain connections to China and Russia. It would appear the cons greatly outweigh the pros.
