Oasis Security has unveiled a vulnerability in Microsoft's multi-factor authentication (MFA) system, allowing circumvention by malicious actors. This exploit, termed AuthQuake, was initially reported to Microsoft in late June, leading the company to issue a temporary workaround, followed by a comprehensive patch released in October.

Critical Exposure

The flaw allowed unauthorized access to Microsoft accounts if attackers had the user's credentials. This posed significant risks to services like Outlook, OneDrive, Teams, and Azure, as highlighted by Microsoft's substantial user base of over 400 million Office 365 subscriptions.

Attack Methodology

The AuthQuake method exploited Microsoft's MFA by rapidly attempting multiple code combinations. Each MFA code, valid for approximately three minutes, provided attackers a 3% chance of success per session, with the process repeatable until success was achieved. Notably, this attack neither required user interaction nor triggered user alerts.

Experimentation Outcomes

Researchers determined that the probability of successfully guessing the correct MFA code exceeded 50% after 24 sessions (approx. 70 minutes total). Demonstrations showed that successful breaches could occur even faster under certain conditions.

Microsoft's Response

Microsoft has strengthened its security measures by implementing stricter limitations on failed authentication attempts. According to Oasis, the newly enforced rate limits extend for about half a day, reducing the likelihood of successful unauthorized access.

The link has been copied!