A critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA) implementation has been uncovered by Oasis Security’s research team, potentially exposing over 400 million Office 365 accounts to unauthorized access.
The flaw, dubbed “AuthQuake,” allowed attackers to bypass MFA protections and gain access to user accounts, including Outlook emails, OneDrive files, Teams chats, and Azure Cloud resources.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The AuthQuake flaw stemmed from two key issues in Microsoft’s MFA system:
- Lack of Rate Limiting: Attackers could rapidly create new sessions and attempt multiple code guesses simultaneously, quickly exhausting all possible 6-digit code combinations.
- Extended Code Validity: TOTP codes remained valid for approximately 3 minutes, significantly longer than the standard 30 seconds, increasing the window of opportunity for attackers.
These vulnerabilities allowed malicious actors to potentially breach MFA defenses within 70 minutes, achieving a success rate exceeding 50%. Alarmingly, the exploit required no user interaction and generated no alerts, leaving account holders oblivious to the ongoing attack.
AuthQuake Attack Method
The bypass technique exploited weaknesses in the time-based one-time password (TOTP) system:
- Attackers initiated multiple sessions using the same parameters.
- By rapidly creating new sessions and enumerating codes, they could attempt combinations at a high rate.
- The extended 3-minute validity window for codes increased the chances of a successful guess.
Upon notification by Oasis Security, Microsoft took swift action:
- June 24, 2024: Microsoft acknowledged the issue.
- July 4, 2024: A temporary fix was deployed.
- October 9, 2024: A permanent solution was implemented.
The permanent fix involved introducing stricter rate-limiting mechanisms that activate after a number of failed attempts, lasting for approximately half a day.
While this specific vulnerability has been addressed, the incident highlights the importance of robust MFA implementations. Security experts recommend:
- Implement Stricter Rate Limiting: Enforce limits on failed authentication attempts to prevent brute-force attacks.
- Monitor Failed MFA Attempts: Set up alerts for repeated second-factor authentication failures to detect suspicious activity.
- Regular Security Audits: Continuously review and update security configurations to identify and resolve vulnerabilities.
- User Education: Conduct regular training to help employees understand the importance of MFA and how to use it effectively.
Despite this setback, MFA remains a critical security measure. Organizations are advised to continue using MFA, preferably with authenticator apps or stronger passwordless methods while staying vigilant against potential vulnerabilities.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free