Cracking the Code: Researchers Expose Critical Flaw in Microsoft’s MFA System

December 13, 2024 | Cybersecurity
By Ashwani Mishra, Editor-Technology, 63SATS

For years, Microsoft has touted multifactor authentication (MFA) as a near-bulletproof shield against account hijacking, claiming it reduces the risk of compromise by over 99%.

But recent research from Oasis Security has shattered this perception, uncovering a critical flaw in Microsoft’s MFA implementation.

This vulnerability put millions of Office 365 accounts—including access to Outlook, OneDrive, Teams, and Azure—at serious risk.

What’s alarming? The attack required no user interaction, took just about an hour, and left no trace for account holders. It was a stealthy yet potent method that exposed a glaring oversight in Microsoft’s system design.

How Attackers Exploited the Flaw

At the heart of the issue was the way Microsoft assigned session identifiers during the login process.

Users entering valid credentials would be prompted to provide a six-digit code from an authenticator app. Attackers could make up to 10 failed attempts per session, but there were no restrictions on how many new sessions could be initiated. By rapidly creating sessions and enumerating codes, attackers could execute a high volume of simultaneous attempts to guess the code.

Authenticator app codes, based on the TOTP standard, typically change every 30 seconds. However, Microsoft’s implementation allowed codes to remain valid for up to three minutes—six times longer than the standard 30-second window. This extended timeframe increased the chances of guessing a valid code, allowing attackers to achieve a 50% success rate after just 24 login sessions, or about 70 minutes of effort.

The lack of rate limiting or alerts during these massive guessing attempts made the attack almost undetectable to users. The vulnerability was especially concerning as attackers could easily obtain passwords from dark web marketplaces, enabling them to focus solely on bypassing MFA protections.

A Race Against Time: Fixing the Flaw

Oasis Security responsibly disclosed the vulnerability to Microsoft on June 24, 2024. By July 4, Microsoft had deployed a temporary fix, and by October 9, the issue was permanently resolved. The fix included implementing stricter rate limits that activate after multiple failed attempts, with the lockout period lasting for about half a day.

Oasis researchers praised the swift action but emphasized the need for continuous vigilance. They noted that this flaw underscored how even industry-leading security measures could harbour critical weaknesses, especially as attackers evolve their methods to exploit overlooked vulnerabilities.

Looking Ahead

The Microsoft MFA vulnerability highlights the dynamic nature of cybersecurity threats. With over 400 million paid Office 365 users worldwide, the potential consequences of such a flaw are immense. The incident underscores the need for proactive security measures and the value of independent research in uncovering vulnerabilities before they are exploited at scale.

As Oasis Security aptly demonstrated, responsible disclosure and rapid response are critical in safeguarding the digital ecosystem. While Microsoft’s quick action mitigated the immediate risk, this incident serves as a wake-up call: cybersecurity is a moving target, and constant innovation is required to stay ahead of bad actors.

Key Takeaways:

The Flaw: Attackers bypassed Microsoft’s MFA by guessing six-digit codes through rapid session creation.

Impact: Millions of Office 365 accounts were vulnerable, including access to critical services like Outlook and Azure.

Resolution: Microsoft deployed a fix within three months, introducing stricter rate limits.

Actionable Insight: MFA is essential but not infallible; layered security and user vigilance remain critical.