A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in position to have access to any account and data, including email messages and files stored in the cloud-based service. Microsoft pushed through a mitigation to the service on Jan. 5, seven hours after being notified by researchers Yiannis Kakavas and Klemen Bratec. The flaw allowed for a cross-domain authentication bypass affecting all federated domains, the researchers wrote.
Source: https://threatpost.com/office-365-vulnerability-exposed-any-federated-account/117716/