Researchers Discover Critical Microsoft Azure MFA Flaw: What You Need to Know

Researchers discovered a critical flaw in Microsoft’s MFA system that allowed unlimited code attempts.

Published: Dec 13, 2024

Security hero image

SHARE ARTICLE

Key Takeaways:

  • Researchers discovered a flaw in Microsoft’s multifactor authentication (MFA) system.
  • This vulnerability exposed over 400 million Microsoft 365 accounts to potential hacking.
  • Microsoft implemented stricter rate limits to block repeated failed attempts.

Cybersecurity researchers have warned about a critical flaw in Microsoft’s multifactor authentication system. This vulnerability could allow hackers to infiltrate accounts, compromising sensitive data across Microsoft Teams chats, OneDrive files, Outlook emails, and Azure Cloud.

Researchers at Oasis Security first identified the critical vulnerability in Microsoft’s MFA system. The issue stemmed from a lack of rate limits, allowing attackers to make unlimited sign-in attempts without being blocked. This gave hackers a higher chance of guessing the correct code and posed a significant risk to over 400 million paid Microsoft 365 accounts.

Typically, users enter their email and password and then select a pre-configured MFA method while signing into a Microsoft account. In the scenario highlighted by researchers, users received a verification code through a separate channel, such as a text message or an authenticator app, to complete the process.

“By rapidly creating new sessions and enumerating codes, the Oasis research team demonstrated a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code (1M). Simply put – one could execute many attempts simultaneously,” explained Tal Hason, an Oasis research engineer.

According to the researchers, repeated failed MFA sign-in attempts on Microsoft accounts did not trigger any notifications for account owners. Consequently, users remained unaware of suspicious activity targeting their accounts. This lack of visibility made the vulnerability and the attack method “dangerously low profile.”

microsoft azure mfa bypass
One of the successful attempts (Image Credit: Oasis Security)

Researchers at Oasis Security informed Microsoft about the issue back in June. The company implemented a stricter rate limit that triggers following a certain number of failed sign-in attempts by October 9. This strict limit lasts for about half a day.

In addition, the security researchers found another issue that caused the timeframe for guessing a single code to be extended by an additional 2.5 minutes beyond the recommended duration. This means that instead of just 30 seconds, attackers had 3 minutes to guess the correct code. This extended timeframe significantly increased the chances of a successful attack.

What are the best practices for organizations using MFA?

It’s highly recommended that organizations use either authenticator apps or strong password-less methods to protect employees against malicious attacks. Users are also advised to regularly change their passwords to reduce the risk of unauthorized access.

Furthermore, organizations using MFA should implement a system that sends email alerts to users whenever there are failed MFA attempts on their accounts. This capability enables users to take immediate action like changing their password or contacting support to secure their account.

SHARE ARTICLE