Microsoft accounts, including Outlook, OneDrive, Teams, Azure Cloud, and more, had no rate limiting, and potential attackers could bypass the multifactor authentication just by guessing authenticator app codes. And what's even more worrying, according to the Oasis Security report, is that users weren’t provided with any notification or indication of trouble.
Microsoft is one of the strongest advocates for using multifactor authentication (MFA), claiming that accounts with MFA are more than 99% less likely to be hijacked.
However, the researchers from Oasis claim that its implementation had a critical flaw, leaving millions of Office 365 accounts vulnerable. This is a major oversight.
If hackers have the password for an account, a trivial challenge as many infostealer logs are sold on the dark web, they could spray MFA codes indefinitely.
“The bypass was simple: it took around an hour to execute, required no user interaction, and did not generate any notification or provide the account holder with any indication of trouble,” the report claims.
Microsoft supports a variety of MFA methods, one of which is entering a verification code from an authenticator app.
Researchers found that upon login, users are assigned a session identifier, which allows them to make up to ten successive failed attempts at entering the six-digit code. However, there were no limits on how many new login sessions could be initiated.
A very high rate of simultaneous attempts would quickly exhaust the code's one million options. However, there was a time limit, making the potential attack a little bit more difficult, but still relatively easy.
Authenticator apps usually generate new codes every 30 seconds. The validator usually accepts the code for a longer time window. The researchers found that they could use the code for around three minutes before its expiry and enter six times more attempts than a 30-second window would allow.
“Given the allowed rate we had a 3% chance of correctly guessing the code within the extended timeframe. A malicious actor would have been likely to proceed and run further sessions until they hit a valid guess,” the researchers said.
For a 50% chance to hit a valid MFA code, a malicious actor would need to complete 24 such sessions, which would take around 70 minutes. The Oasis Security Research team said they did not encounter any issues or limitations while doing that and successfully attempted the method several times.
“During this period, account owners did not receive any alert about the massive number of consequent failed attempts, making this vulnerability and attack technique dangerously low profile.”
The security firm responsibly disclosed the critical flaw to Microsoft on June 24th, 2024, and said that Microsoft deployed a temporary fix on July 4th. Since October 9th, the flaw has been permanently fixed.
Oasis, which runs the management and security solution for non-human identities, now assesses that Microsoft introduced a “much stricter rate limit” that kicks in after a number of failed attempts, and the limit lasts around half a day.
Microsoft has a monitoring in place to detect this type of abuse and hasn’t seen any evidence this technique has been used against the customers.
“We appreciate the partnership with Oasis security in responsibly disclosing this issue. We have already released an update and no customer action is required,” a Microsoft spokesperson said.
Enabling MFA still remains a critical cybersecurity best practice and the use of either Authenticator apps or stronger passwordless methods should not be doubted.
Updated on December 13th [07:30 a.m. GMT] with a statement from Microsoft
Your email address will not be published. Required fields are markedmarked