In a significant development for the cybersecurity community, the Oasis Security Research Team has discovered a critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA) implementation. This flaw, which allows attackers to bypass MFA protections, poses a severe threat to the security of user accounts, including access to Outlook emails, OneDrive files, Teams chats, and Azure Cloud resources. With over 400 million paid Office 365 seats, the implications of this vulnerability are far-reaching.
The vulnerability, dubbed “AuthQuake,” was identified by the Oasis Security Research Team and reported to Microsoft. The flaw was found to be relatively simple to exploit, requiring no user interaction and leaving no trace for the account holder. The attack method involved rapidly creating new sessions and enumerating codes, exploiting a lack of rate limiting and an extended validity window for time-based one-time passwords (TOTP).
The Vulnerability
When users log in, they are assigned a session identifier. After entering a valid email and password, they must verify their identity using an MFA method, such as a verification code from an application. The vulnerability exploited two main issues:
- Lack of Rate Limiting: Attackers could create multiple sessions and attempt numerous code guesses simultaneously, quickly exhausting all possible 6-digit code combinations.
- Extended Code Validity: TOTP codes remained valid for approximately 3 minutes, significantly longer than the standard 30 seconds, increasing the window of opportunity for attackers.
These weaknesses allowed attackers to potentially breach MFA defenses within 70 minutes, achieving a success rate exceeding 50%. The exploit required no user interaction and generated no alerts, leaving account holders unaware of the ongoing attack.
Attack Method
The bypass technique involved initiating multiple sessions using the same parameters. By rapidly creating new sessions and enumerating codes, attackers could attempt combinations at a high rate. The extended 3-minute validity window for codes increased the chances of a successful guess. The Oasis Security Research Team successfully demonstrated this method several times.
Resolution
Upon notification by Oasis Security, Microsoft took swift action:
- June 24, 2024: Microsoft acknowledged the issue.
- July 4, 2024: A temporary fix was deployed.
- October 9, 2024: A permanent solution was implemented.
The permanent fix involved introducing stricter rate-limiting mechanisms that activate after a number of failed attempts, lasting for approximately half a day. While this specific vulnerability has been addressed, the incident highlights the importance of robust MFA implementations.
10 Tips to Avoid Such Threats in the Future
- Implement Stricter Rate Limiting: Enforce limits on failed authentication attempts to prevent brute-force attacks.
- Monitor Failed MFA Attempts: Set up alerts for repeated second-factor authentication failures to detect suspicious activity.
- Regular Security Audits: Continuously review and update security configurations to identify and resolve vulnerabilities.
- User Education: Conduct regular training to help employees understand the importance of MFA and how to use it effectively.
- Use Stronger MFA Methods: Prefer passwordless methods or hardware tokens over traditional TOTP codes.
- Enable Account Lockout Policies: Temporarily lock accounts after a certain number of failed login attempts.
- Implement Anomaly Detection: Use machine learning to detect unusual login patterns and flag potential attacks.
- Regularly Update MFA Systems: Ensure that MFA systems are up-to-date with the latest security patches and improvements.
- Use Multi-Layered Security: Combine MFA with other security measures such as IP whitelisting and device recognition.
- Stay Informed: Keep abreast of the latest cybersecurity threats and best practices to ensure your defenses are always up to date.
Conclusion
The discovery of the AuthQuake vulnerability by the Oasis Security Research Team underscores the critical importance of robust MFA implementations and continuous vigilance in cybersecurity. While Microsoft has addressed this specific flaw, organizations must remain proactive in securing their systems against evolving threats.
Want to stay on top of cybersecurity news? Follow us on Facebook, X (Twitter), Instagram, and LinkedIn for the latest threats, insights, and updates!
