- Researchers say that achieving a 50% probability of success would only require approximately 24 login sessions, taking about 70 minutes to execute.
- Crux of the vulnerability lies in the lack of rate limiting associated with MFA attempts.
- Lack of notification renders the vulnerability particularly insidious, as it allows for prolonged and undetected exploitation.
Microsoft, a leading proponent of multifactor authentication (MFA), has long championed its effectiveness in safeguarding user accounts. The company asserts that accounts utilising MFA are over 99 per cent less likely to be compromised.
However, a recent report by Oasis Security has unveiled a significant vulnerability within Microsoft’s MFA implementation, particularly affecting services such as Outlook, OneDrive, Teams, and Azure Cloud.
The oversight raises serious concerns about the security of millions of Office 365 accounts and highlights the need for continuous vigilance in cybersecurity practices.
Microsoft has more than 400 million paid Office 365 users, making the consequences of this vulnerability far-reaching.
The crux of the vulnerability lies in the lack of rate limiting associated with MFA attempts. Researchers from Oasis discovered that once a user initiates a login session, they are granted a session identifier that permits up to ten consecutive failed attempts to enter the six-digit MFA code.
No restrictions
Alarmingly, there are no restrictions on the number of new login sessions that can be initiated. This loophole allows potential attackers to engage in what is known as “MFA code spraying,” where they can repeatedly guess authentication codes without triggering any alerts or notifications for account holders.
According to the report, the attack is alarmingly straightforward. An attacker with access to a user’s password—often obtained from infostealer logs available on the dark web—can exploit this vulnerability to make an extensive number of attempts at guessing the MFA code.
The researchers noted that the window for entering the correct code was extended to approximately three minutes, allowing for an increased number of attempts beyond the typical thirty-second code generation cycle.
The extended timeframe significantly enhances the likelihood of a successful attack, with a three per cent chance of guessing the correct code within the extended period.
Moreover, the researchers found that achieving a 50 per cent probability of success would only require approximately 24 login sessions, taking about 70 minutes to execute. Throughout this process, account holders remained oblivious to the numerous failed login attempts, as no alerts were triggered.
A critical component
The lack of notification renders the vulnerability particularly insidious, as it allows for prolonged and undetected exploitation.
In response to the responsible disclosure by Oasis Security on June 24, 2024, Microsoft implemented a temporary fix shortly thereafter, and a permanent solution was established by October 9, 2024.
The updated security measures now include a much stricter rate limiting protocol that activates after a specified number of failed attempts, effectively mitigating the risk of such attacks.
While the implementation of MFA remains a critical component of cybersecurity best practices, this incident underscores the importance of robust security measures and the necessity for continuous improvement. Users must remain vigilant and adopt stronger authentication methods, including passwordless solutions, to enhance their account security.