Researchers discovered a critical flaw in Microsoft’s MFA system that allowed unlimited code attempts.
Published: Dec 13, 2024
Key Takeaways:
Cybersecurity researchers have warned about a critical flaw in Microsoft’s multifactor authentication system. This vulnerability could allow hackers to infiltrate accounts, compromising sensitive data across Microsoft Teams chats, OneDrive files, Outlook emails, and Azure Cloud.
Researchers at Oasis Security first identified the critical vulnerability in Microsoft’s MFA system. The issue stemmed from a lack of rate limits, allowing attackers to make unlimited sign-in attempts without being blocked. This gave hackers a higher chance of guessing the correct code and posed a significant risk to over 400 million paid Microsoft 365 accounts.
Typically, users enter their email and password and then select a pre-configured MFA method while signing into a Microsoft account. In the scenario highlighted by researchers, users received a verification code through a separate channel, such as a text message or an authenticator app, to complete the process.
“By rapidly creating new sessions and enumerating codes, the Oasis research team demonstrated a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code (1M). Simply put – one could execute many attempts simultaneously,” explained Tal Hason, an Oasis research engineer.
According to the researchers, repeated failed MFA sign-in attempts on Microsoft accounts did not trigger any notifications for account owners. Consequently, users remained unaware of suspicious activity targeting their accounts. This lack of visibility made the vulnerability and the attack method “dangerously low profile.”
Researchers at Oasis Security informed Microsoft about the issue back in June. The company implemented a stricter rate limit that triggers following a certain number of failed sign-in attempts by October 9. This strict limit lasts for about half a day.
In addition, the security researchers found another issue that caused the timeframe for guessing a single code to be extended by an additional 2.5 minutes beyond the recommended duration. This means that instead of just 30 seconds, attackers had 3 minutes to guess the correct code. This extended timeframe significantly increased the chances of a successful attack.
It’s highly recommended that organizations use either authenticator apps or strong password-less methods to protect employees against malicious attacks. Users are also advised to regularly change their passwords to reduce the risk of unauthorized access.
Furthermore, organizations using MFA should implement a system that sends email alerts to users whenever there are failed MFA attempts on their accounts. This capability enables users to take immediate action like changing their password or contacting support to secure their account.