Microsoft Azure MFA Flaw Allowed Easy Access Bypass
A vulnerability in Microsoft’s Multi-Factor Authentication (MFA) system has left millions of accounts susceptible to unauthorized access.
Exploited successfully, the flaw could allow attackers to bypass the second authentication layer and access services like Outlook, OneDrive, Teams and Azure Cloud. With more than 400 million Office 365 paid accounts globally, the potential impact is significant.
The bypass, requiring minimal time and effort, could be executed in just an hour. It involved no user interaction and failed to alert account holders. After its discovery by the Oasis Security Research team, the issue was reported to Microsoft, leading to collaborative efforts to address the security lapse.
Technical Details of the Flaw
The vulnerability centered on weaknesses in the time-based one-time password (TOTP) system used in MFA. Microsoft’s implementation would allow attackers to repeatedly guess six-digit codes due to insufficient rate-limiting mechanisms. Codes remained valid for an extended window of three minutes – far longer than the standard 30 seconds – dramatically increasing the probability of a successful attack.
By rapidly initiating multiple sessions and running brute-force attempts, attackers could achieve a success rate exceeding 50% within 70 minutes. Notably, the attack method operated discreetly, leaving users unaware of the ongoing breach.
“When MFA is compromised, it quickly switches from a security tool to a significant attack vector,” explained James Scobey, CISO at Keeper Security.
“By gaining access to accounts of the 400 million paid users of Office 365, bad actors would be able to stealthily perform reconnaissance to find the most valuable systems and data. Additional hidden ways in, such as reverse shells, could be added for root access, which would bypass future authentication.”
Microsoft acted promptly following Oasis’ disclosure of the vulnerability. A temporary fix was deployed on July 4 2024, and a permanent solution, which included stricter rate limits, was implemented by October 9 2024.
Lessons for Organizations Using MFA
While the specific flaw has been addressed, the incident highlights the need for vigilance. Security experts recommend:
-
Using MFA wherever possible as it remains a critical defense layer
-
Setting up alerts for failed second-factor authentication attempts to detect suspicious activity
-
Regularly reviewing and updating security configurations to identify and resolve vulnerabilities
“While MFA is better than the use of credentials alone, it should be considered an organization’s minimum acceptable practice, not a state-of-the-art security measure,” explained Mimoto CEO, Kris Bondi. “Even when MFA is operating as expected, it’s validating an endpoint at a specific point in time, not confirming it’s the correct person.”
Jason Soroko, senior fellow at Sectigo, echoed Bondi’s point, adding that authentication systems based on shared secrets are inherently vulnerable.
“Organizations must act to adopt patches and reconsider their reliance on outdated MFA solutions,” Soroko said. “We must strive toward passwordless authentication solutions, especially for net new implementations.”
Image credit: Mamun_Sheikh / Shutterstock.com
