Researchers identified a critical vulnerability in Microsoft’s MFA implementation, where attackers could exploit this flaw to bypass MFA and gain unauthorized access to sensitive user data, including emails, files, and cloud resources.
The attack was straightforward and silent, requiring minimal effort and leaving no trace, where researchers promptly reported the vulnerability to Microsoft, who worked diligently to address the issue.
The system assigns a session identifier to each user upon login; after successful email and password authentication, users are required to complete multi-factor authentication (MFA) using a verification code from an application.
This MFA step is mandatory to complete the authentication process, while to prevent brute-force attacks, the system limits the number of consecutive failed login attempts to 10 per session.
By taking advantage of the fact that the system did not have rate limiting, they were able to quickly create multiple sessions and enumerate six-digit codes at a high rate.
It bypassed account security measures and overwhelmed the system, as account owners received no alerts about the numerous failed attempts, where this low-profile attack technique poses a significant security risk.
An attacker has a 3-minute window to guess a TOTP code, 2.5 minutes longer than the standard 30-second timeframe, which is due to the tolerance allowed by validators to accommodate time differences and delays.
While the chance of guessing a single code within this window is low (3%), an attacker can continually attempt new codes until a successful guess is made, as there are no limitations on the number of attempts.
Oasis Security Research was able to successfully brute-force codes within seventy minutes, which allowed them to demonstrate a vulnerability in a two-factor authentication system.
By exploiting the system’s limitations, researchers were able to guess valid codes multiple times, highlighting the potential risks associated with such systems if not implemented with robust security measures.
Microsoft addressed a vulnerability that allowed for repeated login attempts as a temporary fix was deployed on July 4th, 2024, mitigating the immediate risk.
To further enhance security, a permanent solution was implemented on October 9th, 2024, which introduced a stricter rate limit for failed login attempts, significantly reducing the window of opportunity for potential attacks.
The implementation of multi-factor authentication (MFA) should be a top priority for organizations, and they should use strong authentication methods such as authenticator apps or passwordless solutions.
To enhance security, they should monitor for leaked credentials, regularly update passwords, and enable email alerts for failed MFA attempts, which helps detect and mitigate potential security threats early on.
.webp?w=1200&resize=1200,0&ssl=1&description=Researchers identified a critical vulnerability in Microsoft's MFA implementation, where attackers could exploit this flaw to bypass MFA and gain unauthorized access to sensitive user data.){kind=link}