CyberSecurity news
FlagThis
do son@securityonline.info
//
Security researchers at Oasis Security have uncovered a critical vulnerability in Microsoft's Azure Multi-Factor Authentication (MFA) system. This flaw allowed attackers to bypass MFA, gaining unauthorized access to user accounts across various Microsoft services, including Outlook emails, OneDrive files, Teams chats, and Azure Cloud resources. The bypass was achieved by exploiting a lack of rate limiting on authentication attempts and a larger than expected window of time in which a single MFA code remains valid. The attack could be executed relatively quickly, took about an hour, did not require any user interaction, and crucially, did not trigger any notifications to alert the account holder.
The vulnerability stems from the way Microsoft handles MFA verification codes. By rapidly creating new sessions and attempting a large number of codes, attackers could exhaust all possible six-digit codes. Even with the standard 30-second validity, Microsoft had a time window of about three minutes which increased the attempts that could be made. Despite many failed attempts, no alerts were sent to the account owners making the attack difficult to detect. Oasis Security reported the vulnerability to Microsoft and collaborated with them to resolve it. The full report detailing the vulnerability, its resolution and lessons learned is available from the Oasis Security research team.
ImgSrc: securityonline.
References :
The vulnerability stems from the way Microsoft handles MFA verification codes. By rapidly creating new sessions and attempting a large number of codes, attackers could exhaust all possible six-digit codes. Even with the standard 30-second validity, Microsoft had a time window of about three minutes which increased the attempts that could be made. Despite many failed attempts, no alerts were sent to the account owners making the attack difficult to detect. Oasis Security reported the vulnerability to Microsoft and collaborated with them to resolve it. The full report detailing the vulnerability, its resolution and lessons learned is available from the Oasis Security research team.
ImgSrc: securityonline.
Share:
References :
- : Oasis : Oasis had reported a vulnerability in Microsoft's Multi-Factor Authentication (MFA) implementation that allows attackers to bypass it and gain unauthorized access to the user's account (including Outlook emails, OneDrive files, Teams chats, Azure Cloud, etc.) No CVE ID is indicated. See the 9 page .
- heise online English: Microsoft Azure MFA protection could be leveraged Attackers were able to bypass multi-factor authentication in Microsoft's Azure and gain unauthorized access.
- www.heise.de: Microsoft Azure MFA protection could be leveraged
- www.oasis.security: Oasis Security Research Team Discovers Microsoft Azure MFA Bypass
- The Hacker News: Iran-Linked IOCONTROL Malware Targets SCADA and Linux-Based IoT Platforms
- securityonline.info: Critical Microsoft Azure MFA Bypass Exposed: What You Need to Know
Classification:
- HashTags: #MicrosoftMFA #AzureSecurity #AuthenticationBypass
- Company: Microsoft
- Target: Microsoft Users
- Attacker: Oasis
- Product: Azure MFA
- Feature: MFA Bypass
- Type: Vulnerability
- Severity: Major