Millions of Office 365 accounts vulnerable after shocking MFA bypass

A critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA) system has left millions of accounts exposed to unauthorized access. Discovered by Oasis Security, the flaw allows attackers to bypass MFA, impacting over 400 million Office 365 paid users. Exploitation of this weakness permits access to services like Outlook, OneDrive, and Azure Cloud with minimal effort. Microsoft has confirmed the issue and has implemented fixes.

The vulnerability revolves around the time-based one-time password (TOTP) system. Attackers could exploit insufficient rate-limiting mechanisms, granting them the ability to guess six-digit codes repeatedly. Users had up to three minutes—significantly longer than the standard interval of 30 seconds—during which these codes remained valid. This significantly increased the likelihood of a successful attack: attackers could achieve over a 50% success rate within approximately 70 minutes by initiating multiple sessions.

In the blog post detailing the findings, Oasis researchers detailed their method of exploitation, which they termed “AuthQuake.” They tested the flaw by rapidly creating new sessions and enumerating codes, demonstrating a high rate of simultaneous attempts that could exhaust the possible six-digit combinations quickly. These tactics were executed without user interference or alerts, making the attack method discreet.

After being informed of the vulnerability, Microsoft released a temporary patch on July 4, 2024, followed by a permanent solution on October 9, 2024. The latter integrated stricter rate limits that reduce the number of attempts an attacker can make in a given time frame, enhancing security measures against such exploits.

Despite the resolution of this specific flaw, security experts underscore the critical need for continued vigilance. Recommendations for organizations using MFA include enforcing alerts for failed authentication attempts and regularly reviewing security configurations to identify potential vulnerabilities. Kris Bondi, Mimoto CEO, stressed the importance of treating MFA as a minimum acceptable practice rather than a state-of-the-art security measure. He indicated that even when MFA functions correctly, it only verifies the endpoint at a given moment, not necessarily confirming the user’s identity.

Microsoft Teams will stop working on older versions of Windows and macOS

Experts also advise against reliance on outdated MFA solutions. Jason Soroko, senior fellow at Sectigo, echoed the sentiment, emphasizing the need for organizations to adopt updated patches and consider moving towards passwordless authentication solutions for new implementations.

Emerging best practices include integrating mail alerts to notify users of unsuccessful MFA attempts while ensuring that MFA systems enforce rate limits that prevent indefinite sign-in trials. Organizations are also urged to implement measures that lock accounts after numerous failed attempts to thwart potential attackers.

Featured image credit: Ed Hardie/Unsplash