Hi @Adrian Crisan ,
Thanks for reaching out.
I understand your concern here.
However, there is no real security risk here but there is reputation risk involved for a company that implements Azure AD B2C and financial risk for those implemented third party email service and opt for SMS MFA.
Currently, there is no way to fix this, however one way to mitigate this risk is to implement Web Application Firewall (WAF, e.g. Tutorial to configure Azure Active Directory B2C with Azure Web Application Firewall - Azure AD B2C | Microsoft Learn) which is also only possible in combination with custom domain. The core idea of the approach is that Web Application firewall will have various rules kicking out malicious actors.
I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.
Thank you for your time and patience throughout this issue.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.