Tal Hason
Research Engineer
Published on
December 11, 2024
Oasis Security's research team uncovered a critical vulnerability in Microsoft's Multi-Factor Authentication (MFA) implementation, allowing attackers to bypass it and gain unauthorized access to the user’s account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more. Microsoft has more than 400 million paid Office 365 seats, making the consequences of this vulnerability far-reaching.
The bypass was simple: it took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble.
Upon discovery, Oasis reported the flaw to Microsoft and collaborated with them to resolve it. Below are details of the vulnerability, its resolution, and lessons learned. You can read the Oasis Security Research team’s full report here.
When users first arrive at the login page they are assigned with a session identifier.
After typing a valid email and password, users are asked to further verify their identity, Microsoft supports a variety of MFA methods, including a verification code from an application. Using such an application, users type in the 6-digit code to complete their authentication.
Up to 10 consequent failed attempts were allowed for a single session.
By rapidly creating new sessions and enumerating codes, the Oasis research team demonstrated a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code (1M). Simply put – one could execute many attempts simultaneously.
During this period, account owners did not receive any alert about the massive number of consequent failed attempts, making this vulnerability and attack technique dangerously low profile.
Authenticator app codes are time-limited. The next question? The available timeframe attackers had to guess a single code.
RFC-6238 is the TOTP guideline for implementing Authenticator apps. RFC-6238 suggests a different code be generated for each timeframe of 30 seconds, and most apps and validators use this setting. However, due to potential time differences and delays between the validator and the user, the validator is encouraged to accept a larger time window for the code, again, per RFC-6238 guidelines.
In short, this means that a single TOTP code may be valid for more than 30 seconds. The Oasis Security Research team’s testing with Microsoft sign-in showed a tolerance of around 3 minutes for a single code, extending 2.5 minutes past its expiry, allowing 6x more attempts to be sent.
Given the allowed rate we had a 3% chance of correctly guessing the code within the extended timeframe. A malicious actor would have been likely to proceed and run further sessions until they hit a valid guess. The Oasis Security Research team did not encounter any issues or limitations doing that.
After 24 such sessions (~70 minutes) a malicious actor would already pass the 50% chance of hitting a valid code. This is before considering the additional codes generated within the timeframe that would make a few more guessed codes valid.
The Oasis Security Research team successfully attempted this method several times. Below is a screen recording of one of the successful attempts where the researchers guessed the code early on.
While specific details of the changes are confidential, we can confirm that Microsoft introduced a much stricter rate limit that kicks-in after a number of failed attempts; the strict limit lasts around half a day.
The flaw discussed in this article belongs to a specific implementation that has been fixed prior to releasing this text. Enabling MFA remains a critical cybersecurity best practice. Use either Authenticator apps or stronger passwordless methods.
While MFA can protect a user if their credentials are compromised, as shown here, an implementation flaw in the validation process can quickly render it ineffective.
In general, monitoring for wrong password sign-ins is likely to create a lot of noise, especially on targeted accounts. However, filtering this specifically to failed second factor codes reduces the noise to only those cases where the actor holds a correct password, which are much more important. In addition, the alerts should be sent to the account owner, who can verify whether the login attempts were made by them or not, allowing them to take immediate action if necessary.
The Oasis Security Research Team is a global group of experts specializing in identity and cloud-native security. With deep experience in offensive and defensive operations, vulnerability research, and threat analysis, we focus on protecting hybrid cloud ecosystems and securing non-human identities. Our mission is to uncover vulnerabilities, analyze emerging threats, and collaborate with vendors to strengthen security across the industry, providing actionable insights that drive resilience and innovation.
