On every 3 invalid attempts the application sends a new code to the email associate with the account . An attacker can misuse this functionality of the code to create a spam attack
Pre-Requisites: 2FA must be enabled for your account
1) Go to https://rdiffweb-dev.ikus-soft.com/login/ and login using credentials
2) You will now have to enter MFA code
3) Bruteforce this code , its indeed an 8 digit code (~100 million combinations required) . Every third incorrect attempt will trigger a new code to the email , which will indeed result in an email spam attack