HomeWinBuzzer NewsCritical Microsoft MFA Loophole Exposed Millions of User Accounts

Critical Microsoft MFA Loophole Exposed Millions of User Accounts

A flaw in Microsoft Azure multi-factor authentication allowed attackers to brute-force accounts, exposing data in Teams, OneDrive, and more.

-

A critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA) system left millions of accounts exposed to unauthorized access. The flaw, disclosed by researchers at Oasis Security, exploited weaknesses in the authentication process, allowing attackers to execute stealthy brute-force attacks.

The vulnerability, involving insufficient rate-limiting controls, risked sensitive data in services like OneDrive, Teams, and Azure Cloud. Oasis Security says that “account owners did not receive any alert about the massive number of consequent failed attempts, making this vulnerability and attack technique dangerously low profile.”

Microsoft has since patched the issue, but the incident shows how vulnerabilities can exist even in widely trusted security systems.

How the Microsoft MFA Flaw Worked

The vulnerability exploited Microsoft’s Time-based One-Time Password (TOTP) authentication mechanism. TOTPs generate six-digit codes used as a second authentication factor, typically via a mobile app or hardware token.

Attackers were able to bypass standard protections by rapidly initiating multiple concurrent login sessions. This approach allowed them to guess codes across numerous sessions without being restricted by single-session rate limits.

Oasis Security’s report detailed the mechanics of the attack: “By rapidly creating new sessions and enumerating codes, the research team demonstrated a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code (1,000,000).” The team found that this method allowed a 50% chance of success within approximately 70 minutes.

Related: AI-Driven Malware: How Fake Apps and CAPTCHAs Target Windows and macOS Users

Adding to the severity of the flaw, Microsoft’s implementation accepted TOTP codes for up to three minutes—six times longer than the industry-standard 30-second window recommended under the RFC-6238 guideline. According to Oasis Security, “Testing with Microsoft sign-in showed a tolerance of around 3 minutes for a single code, extending 2.5 minutes past its expiry, allowing 6x more attempts to be sent.”

Timeline of Discovery and Resolution

The vulnerability was disclosed to Microsoft in June 2024 after Oasis Security conducted simulations demonstrating the exploit. Microsoft responded with a two-step remediation plan.

A temporary patch was implemented on July 4, 2024, reducing the frequency of login attempts allowed per session. A permanent fix followed on October 9, 2024, introducing stricter rate-limiting measures that temporarily block login attempts for up to 12 hours after repeated failures.

Related: Microsoft Introduces FIDO2 and Passkey Upgrades to Authenticator

Oasis Security commended Microsoft’s prompt action but emphasized the importance of addressing fundamental weaknesses in authentication systems. The researchers stated, “This vulnerability highlights how even foundational security systems can be exploited when safeguards are not properly implemented.”

Why This Attack Was Particularly Dangerous

One of the most alarming aspects of this vulnerability was its stealthy nature. The attack did not trigger notifications for account owners, allowing attackers to operate undetected. As the researchers explained, “During this period, account owners did not receive any alert about the massive number of consequent failed attempts, making this vulnerability and attack technique dangerously low profile.”

Related: Microsoft Enhances Windows Update Options, Details Azure MFA Mandate

This low visibility meant that users, particularly in corporate environments, were at heightened risk. Unauthorized access to enterprise accounts could result in data breaches, espionage, or lateral movement within networks, potentially compromising entire systems.

Broader Implications for Authentication Systems

The Microsoft MFA flaw has reignited discussions about the limitations of shared-secret authentication systems like TOTPs. These systems, while widely used, rely on static validation mechanisms that can be exploited through brute-force attacks.

Shared-secret-based authentication systems carry inherent vulnerabilities, and organizations need to adopt updates and evaluate whether legacy MFA approaches are still suitable.

Traditional MFA systems often validate devices rather than ensuring the individual user is authenticated.

Related: Increase in Microsoft Azure Account Compromises Raises Alarm Among Corporates

Lessons for Organizations Using MFA

Oasis Security’s findings underline the importance of implementing strong safeguards around MFA systems. The report recommends several best practices to mitigate risks:

Organizations should enable real-time alerts to notify users of failed authentication attempts. This capability provides early detection of brute-force attacks and allows users to take immediate action, such as resetting passwords or contacting support.

Transitioning to passwordless authentication methods, such as cryptographic key-based systems, is another recommended step. These systems eliminate shared-secret vulnerabilities, providing a more robust security framework. Finally, organizations should conduct regular security audits to identify and address vulnerabilities in authentication mechanisms.

In their report, Oasis Security concluded, “While MFA remains a vital security layer, this incident illustrates that poorly implemented systems can become an attack vector.”

This incident serves as a powerful reminder of the evolving tactics used by cyber attackers and the ongoing challenges of securing authentication systems at scale. While Microsoft’s response effectively mitigated the flaw, the vulnerability highlights the importance of proactive measures to prevent similar incidents in the future.

Markus Kasanmascheff
Markus Kasanmascheff
Markus has been covering the tech industry for more than 15 years. He is holding a Master´s degree in International Economics and is the founder and managing editor of Winbuzzer.com.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
We would love to hear your opinion! Please comment below.x
()
x