No User Interaction, no Alerts: Azure MFA Cracked in an Hour

If you look inside your cybersecurity Christmas cracker later this month to discover a riddle asking – What takes an hour to execute, requires no user interaction, and doesn’t generate any notifications? You might be spitting your sherry out when you reverse the little strip of paper to learn that the answer is a critical vulnerability identified in Microsoft’s Multi-Factor Authentication (MFA) implementation.

A report released this week from Oasis Security’s research team has detailed the recent discovery, explanation, and remediation of a critical vulnerability in Microsoft’s MFA implementation.

Bypassing MFA

The report details how attackers were able to bypass MFA and gain unauthorized access to users’ accounts by exploiting the lack of rate limiting and an extended timeframe for validating the Time-Based One-Time Password (TOTP) codes generated by Microsoft’s Authenticator app.

The process involves the app generating a six-digit code based on a shared secret and the current time, with a new code created every 30 seconds. Users submit this code after entering their username and password.

The code is then sent via a post here for verification, which results in an acceptance or rejection, with ten consequent fail retries supported for a single session.

Crucially, however, this restriction of ten consequent failed attempts was only applied to the temporary session objective. Factor in delays from different time zones and between the validator and the user, and a more significant time delay and potential attack window is created.

The Oasis research team tested the vulnerability and found that this Microsoft vulnerability displayed a tolerance of around three minutes for a single code, two and a half minutes longer than the guideline timeframe of 30 seconds. During this elongated timeframe, the number of attempts available to attackers was six times higher than it should have been.

Multiple, Simultaneous Attempts

During their research, the Oasis team demonstrated a high rate of attempts to crack a six-digit code with a million combinations by rapidly creating new sessions. This method allowed for multiple simultaneous attempts, and during this time, account owners received no alerts about the numerous failed attempts.

Oasis immediately flagged the issue to Microsoft and worked closely with them to resolve it. This led to the implementation of stricter rate limits that kick in following a number of failed attempts. They have also released a blog post detailing the incident, which provides guidelines for organizations using MFA.

For professionals, the confidential information held in Microsoft accounts increasingly goes beyond Outlook, encompassing OneDrive files, Teams chats, Azure Cloud, and much more. Factor in the staggering statistic that Microsoft has over 400 million paid Office 365 seats; the implications of this vulnerability are significant, with the potential consequences devastating.

A Wake-Up Call

Technology professionals have been reacting to the news, with Jason Soroko, Senior Fellow at Sectigo, branding the findings ‘a wake-up call’ and calling on organizations to review their own MFA systems and assess whether they were fit for purpose.

The incident highlighted significant problems with MFA overall, added Kris Bondi, CEO and Co-Founder of Mimoto. “While MFA is better than the use of credentials alone, it should be considered an organization’s minimum acceptable practice, not a state-of-the-art security measure. Even when MFA is operating as expected, it’s validating an endpoint at a specific point in time, not confirming it’s the correct person.”

Finally, James Scobey, Chief Information Security Officer at Keeper Security, pointed out that this incident serves as a reminder that security isn’t just about deploying MFA – it must also be configured properly. “While MFA is undoubtedly a powerful defense, its effectiveness depends on key settings, such as rate limiting to thwart brute-force attempts and user notifications for failed login attempts. These features are not optional; they are critical for enhancing visibility, allowing users to spot suspicious activity early and respond swiftly.”

Vulnerabilities can, of course, be discovered in even the most secure of systems. However, the lack of alerts to the user notifying them of failed sign-in attempts underlines the need to factor in mail alerts to their authentication systems, with account locks triggered upon a certain number of failed attempts. More broadly, this incident reinforces the importance of continuous monitoring alongside the implementation of MFA.