Researchers identified a critical vulnerability in Microsoft Azure’s multifactor authentication (MFA) system, allowing unauthorized access to user accounts in under an hour. This flaw, discovered by Oasis Security, exposed more than 400 million Microsoft 365 accounts to potential account takeovers, with risks extending to Outlook, OneDrive, Teams, and Azure Cloud services. The vulnerability arose from a lack of rate limiting for failed MFA attempts, enabling attackers to exploit the system without alerting users.

Critical vulnerability in Microsoft Azure’s MFA exposes 400 million accounts

The identified bypass method, dubbed “AuthQuake,” allowed researchers to rapidly create new sessions while enumerating codes. Tal Hason, a research engineer at Oasis, explained that the technique involved executing numerous sign-in attempts simultaneously, quickly exhausting options for a 6-digit code. The attack remained discreet, as account owners received no notifications about the suspicious activities.

The flaw permitted hackers to guess codes for much longer than the standard expiration period recommended by the Internet Engineering Task Force’s RFC-6238. Typically, time-based one-time passwords (TOTP) should expire after 30 seconds, but Oasis’s analysis indicated that Microsoft’s codes remained valid for approximately three minutes. This significantly increased the likelihood of successful guesses, allowing attackers a 3% chance of cracking the code in the extended timeframe.

You Might Also Like
Google One VPN service is shutting down: Here's why
Google One VPN service is shutting down: Here’s why
Everything announced at the Intel Arc event
Everything announced at the Intel Arc event
EU won’t get iPhone mirroring due to regulations
EU won’t get iPhone mirroring due to regulations

On July 4, 2024, Oasis informed Microsoft of the vulnerability, and although the company acknowledged it in June, a permanent fix was not implemented until October 9, 2024. The resolution included stricter rate limits that would trigger after a specified number of failed attempts. Organizations are encouraged to enhance security by using authenticator apps or passwordless methods, which provide greater protection against potential attacks.

The incident underscores the need for organizations utilizing MFA to adopt best practices. Experts recommend implementing alerts for failed authentication attempts, allowing organizations to detect malicious activity early. Regular reviews of security settings are vital to identifying ongoing vulnerabilities.

Additionally, security specialists emphasize the importance of consistent password changes as part of robust account hygiene. The attack’s stealthiness illustrates how MFA, when compromised, can transition from a significant security measure to an attack vector. Consequently, experts advocate for a shift toward passwordless authentication solutions, particularly for new deployments.

Various organizations involved in cybersecurity continue to learn from this incident, noting that even widely accepted security practices are vulnerable under certain circumstances. As investigations into the incident progress, the importance of ongoing vigilance in MFA implementation remains clear.

Featured image credit: Ed Hardie/Unsplash