Introduction
A significant security vulnerability [2], termed “AuthQuake,” has been identified in Microsoft Azure’s Multi-Factor Authentication (MFA) system. This flaw has potentially exposed over 400 million Microsoft 365 accounts to unauthorized access [8], highlighting critical weaknesses in the system’s security measures.
Description
A critical vulnerability in Microsoft Azure’s Multi-Factor Authentication (MFA) system [1] [3] [4] [6] [8], identified as “AuthQuake,” has exposed over 400 million Microsoft 365 accounts to unauthorized access. Discovered by researchers at Oasis Security [4], this flaw allows cybercriminals to bypass MFA protections and gain access to major Microsoft cloud services, including Outlook [1] [4] [8], OneDrive [1] [3] [4] [5] [6] [7] [8], Teams [1] [3] [4] [5] [6] [8], and Azure Cloud [1] [3] [6] [8], without any user interaction or notifications generated [2]. The exploitation of this vulnerability is straightforward, requiring minimal effort, as attackers can breach MFA defenses within approximately one hour, achieving a success rate exceeding 50% after up to 70 minutes of attempts.
The vulnerability arises from weaknesses in the time-based one-time password (TOTP) system utilized in MFA [6]. Upon user login [1], a session identifier is assigned, followed by a request for further identity verification through a six-digit code from an authenticator app [1]. The implementation lacks adequate rate-limiting mechanisms, allowing unlimited brute-force attempts without alerts [2]. Attackers can make up to 10 consecutive failed attempts per session, and the validity of six-digit codes is extended to approximately three minutes, significantly longer than the standard 30 seconds [3]. This substantial time tolerance increases the likelihood of a successful attack, enabling rapid session initiation and brute-force attempts without alerting account holders to the numerous failed attempts. Attackers can generate multiple requests simultaneously using the same session parameters [5], effectively exhausting all one million possible six-digit codes [5], which provides them with a 3% chance of guessing the code correctly per attempt.
Microsoft acknowledged the issue on June 24, 2024 [8], and promptly implemented a temporary fix on July 4, 2024. A permanent solution [3] [6] [8], which introduced stricter rate-limiting mechanisms that activate after several failed login attempts and last for approximately half a day [8], was established by October 9, 2024 [6]. While the specific details of the fix remain confidential [5], it is confirmed that the changes addressed the vulnerabilities identified by security experts [5].
This incident underscores the ongoing need for robust MFA implementations. Security experts continue to advocate for the use of MFA [8], particularly with authenticator apps or stronger passwordless methods [1] [4] [8]. Organizations are advised to review their MFA implementations [7], as while MFA is not infallible [7], it offers significantly better security than traditional username and password systems [7]. Users are also encouraged to monitor for leaked credentials [1], change passwords regularly [1], and implement mail alerts for failed MFA attempts to enhance security [1]. Monitoring specifically for failed second-factor codes can help identify unauthorized access attempts more effectively [1]. The importance of vigilant monitoring and robust MFA practices remains critical in protecting user accounts.
Conclusion
The “AuthQuake” vulnerability in Microsoft Azure’s MFA system has highlighted significant security challenges and the necessity for continuous improvement in authentication methods. While Microsoft has addressed the immediate threat with temporary and permanent fixes, the incident serves as a reminder of the evolving nature of cybersecurity threats. Organizations must remain vigilant, regularly updating and reviewing their security protocols to safeguard against potential breaches. The adoption of advanced MFA solutions and proactive monitoring practices is essential to enhance security and protect user accounts from unauthorized access in the future.
References
[1] https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass
[2] https://osintcorp.net/microsoft-mfa-authquake-flaw-enabled-unlimited-brute-force-attempts-without-alerts/
[3] https://osintcorp.net/microsoft-azure-mfa-flaw-allowed-easy-access-bypass/
[4] https://www.darkreading.com/cyberattacks-data-breaches/researchers-crack-microsoft-azure-mfa-hour
[5] https://www.csoonline.com/article/3622369/microsoft-secretly-stopped-actors-from-snooping-on-your-mfa-codes.html
[6] https://www.infosecurity-magazine.com/news/microsoft-azure-mfa-flaw-access/
[7] https://securityboulevard.com/2024/12/oasis-security-details-mfa-security-flaw-found-in-microsoft-cloud-services/
[8] https://cybersecuritynews.com/microsoft-azure-mfa-vulnerability/
