Table of Contents
The issue could allow threat actors to brute force MFA authentication codes for Outlook, Teams, and Azure access with 50% accuracy.
Microsoft may have silently fixed a problem with its MFA implementation that attackers could have used to gain access to Outlook, OneDrive, Teams, and Azure accounts without any user interaction.
AuthQuake, as the cybersecurity firm Oasis calls it, was a configuration oversight that increased brute force accuracy by 50% for threat actors trying to guess MFA authentication codes.
According to Oasis Security, which discovered and reported the bug to Microsoft in June, it is a combination of two errors: a lack of rate limiting and an extended timeframe for validating Time-Based One-Time Password (TOTP) codes.
“The bypass was simple: it took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble,” Oasis said in a report.
While the bug wasn’t ever publicly disclosed, Oasis said it was promptly acknowledged and patched by Microsoft by October. “We appreciate the partnership with Oasis security in responsibly disclosing this issue. We have already released an update and no customer action is required,” a Microsoft spokesperson said. “We have monitoring in place to detect this type of abuse and have not seen any evidence this technique has been used against our customers.”
“The latest report from Oasis Security on the discovery of AuthQuake highlights significant problems with MFA overall,” said Kris Bondi, chief executive officer and co-founder of Mimoto, a San Francisco, Calif.-based end-to-end recognition company. “When MFA is compromised, it quickly switches from a security tool to a significant attack vector. By gaining access to accounts of the 400 million paid users of Office 365, bad actors would be able to stealthily perform reconnaissance to find the most valuable systems and data.”
Lack of rate limiting simplified brute force
When users access Microsoft’s login pages, they are assigned a session identifier. After entering valid credentials, they must further verify their identity through MFA, with multiple options including verification codes generated by the Microsoft Authenticator app. On the app, users input a 6-digit code to complete authentication, with up to 10 failed attempts allowed per session.
The vulnerability stems from the ability to generate multiple requests simultaneously using the same session parameters.
“The limit of 10 consequent fails was only applied to the temporary session object, which can be regenerated with not enough of a rate limit,” Oasis explained. “Simply put–one could execute a lot of attempts simultaneously.”
The Oasis research team showed that by rapidly creating new sessions and enumerating codes, attackers could attempt combinations at a high rate, quickly exhausting all one million possible 6-digit codes. During these attack attempts, account owners received no alerts about the numerous failed attempts, making this vulnerability highly stealthy and dangerous.
“The recent discovery of the AuthQuake vulnerability in Microsoft’s Multi-Factor Authentication (MFA) serves as a reminder that security isn’t just about deploying MFA – it must also be configured properly,” said James Scobey, chief information security officer at Keeper Security. “While MFA is undoubtedly a powerful defense, its effectiveness depends on key settings, such as rate limiting to thwart brute-force attempts and user notifications for failed login attempts.”
Extended timeframe adds icing on the top
Authenticator app codes follow time-based one-time-password (TOTP) guidelines, generating a new code every 30 seconds, with a slight extension allowing for time discrepancies between users and validators.
Oasis Security’s testing found that Microsoft’s sign-in system permits codes to remain valid for about as long as three minutes, extending the window for attack attempts.
This extended window gives attackers a 3% chance of guessing the code correctly per attempt. After about 24 sessions, they could have over a 50% chance of success, Oasis noted.
“AuthQuake exposes significant flaws in Microsoft’s MFA implementation, revealing an important fact,” said Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM). “Authentication systems based on shared secrets are inherently vulnerable. This discovery is a wake-up call. Organizations must act to adopt patches and reconsider their reliance on outdated MFA solutions.”
Microsoft quietly fixed the misconfiguration
While AuthQuake is being considered a critical vulnerability by experts, it is unclear if it received any enumeration post-discovery. There is no entry for the vulnerability in the NIIST-managed national vulnerability database (NVD).
Microsoft did, indeed, take the flaw seriously as it reportedly fixed the flaw in October. “Microsoft applied their final fix this October,” said Elad Luz, head of research at Oasis Security. “We can confirm their fix addressed the flaws we discussed.” While specific details of the changes are confidential, we can confirm that Microsoft introduced a much stricter rate limit that kicks in after a number of failed attempts, the strict limit lasts around half a day, Oasis added in the report.
