Critical Microsoft Azure MFA Bypass Exposed: What You Need to Know
Oasis Security’s research team has unveiled a critical vulnerability in Microsoft Azure’s Multi-Factor Authentication (MFA) system, exposing millions of users to potential breaches. The bypass technique allows attackers to gain unauthorized access to sensitive accounts, including Outlook emails, OneDrive files, Teams chats, and Azure Cloud services, without user interaction or notification.
The vulnerability leverages weaknesses in the implementation of Time-Based One-Time Passwords (TOTP), the standard used by most authenticator apps. According to Oasis, attackers could bypass MFA by exploiting the following key issues:
- Lack of Rate Limiting: “By rapidly creating new sessions and enumerating codes, the Oasis research team demonstrated a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code,” the report noted. This lack of proper throttling enabled attackers to execute numerous attempts simultaneously.
- Extended Code Validity Window: While TOTP codes are typically valid for 30 seconds, Microsoft’s system allowed a tolerance window of approximately three minutes, providing six times the usual timeframe for brute force attempts. This extended window significantly increased the chances of guessing a valid code.
The attack method was alarmingly simple and stealthy. Oasis Security reported, “The bypass was simple: it took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble.”
Within approximately 70 minutes, attackers had a 50% chance of successfully guessing the code. This timeframe, combined with the silent nature of the attack, left many organizations vulnerable to undetected breaches.
Upon discovering the flaw, Oasis Security collaborated with Microsoft to address the issue. While specific technical details remain confidential, the company introduced stricter rate-limiting measures. According to the report, “Microsoft introduced a much stricter rate limit that kicks-in after a number of failed attempts; the strict limit lasts around half a day.”
