Oasis Discovers Microsoft Azure MFA Bypass

Oasis Security's research team uncovered a critical vulnerability in Microsoft’s MFA system, allowing attackers to bypass authentication and gain unauthorized access to user accounts. This flaw posed significant risks, affecting platforms like Outlook, OneDrive, Teams, and Azure.

The bypass required minimal effort, exploiting a lack of rate limits and extended code validity. Attackers could rapidly guess MFA codes within 70 minutes to achieve a 50% success rate without detection. Oasis promptly reported the issue, and Microsoft has since implemented a stricter rate-limiting fix.

This discovery underscores the need for robust MFA implementation and monitoring. Organizations are encouraged to enable MFA, monitor failed attempts, and stay vigilant against potential threats. Oasis continues to lead in uncovering vulnerabilities and enhancing industry security.