Oasis Security's research team has uncovered and helped resolve a significant vulnerability in Microsoft's Multi-Factor Authentication (MFA) system that could have affected over 400 million Office 365 users.
The security flaw, dubbed "AuthQuake," allowed attackers to bypass MFA protections and gain unauthorized access to user accounts, including sensitive data in Outlook, OneDrive, Teams, and Azure Cloud services.
The vulnerability, discovered in June 2024, exploited a weakness in Microsoft's MFA implementation that lacked proper rate limiting for authentication attempts.
The research team found that attackers could create multiple authentication sessions simultaneously and systematically attempt to guess the 6-digit verification codes used for MFA.
What made this vulnerability particularly concerning was its simplicity and stealth. The exploit could be executed in approximately 70 minutes, required no user interaction, and generated no notifications to alert account holders of the unauthorized attempts.
The research team demonstrated that attackers would have more than a 50% chance of successfully guessing a valid authentication code after this period.
The technical analysis revealed that Microsoft's implementation allowed validation windows of up to three minutes for each code, significantly longer than the standard 30-second window recommended by RFC-6238 guidelines. This extended window and the ability to make multiple simultaneous attempts created a critical security weakness.
Microsoft quickly fixes the flaw by introducing stricter rate limiting that activates after a number of failed attempts and remains in effect for approximately 12 hours.
In response to this discovery, security experts recommend organizations implement additional protective measures, including enabling alerts for failed MFA attempts and maintaining regular password rotation policies.
While MFA remains a crucial security practice, this incident highlights the importance of properly implementing and continuously monitoring security systems.