A critical vulnerability in Microsoft Azure’s Multi-Factor Authentication (MFA) system was recently uncovered by researchers at Oasis Security. This flaw allowed unauthorized access to a wide range of user data, including Outlook emails, OneDrive files, Teams chats, and Azure Cloud resources. The breach, facilitated by a bypass technique dubbed “AuthQuake,” highlights significant risks associated with insufficient rate-limiting mechanisms and extended code validation timeframes.
Details Of The Vulnerability
The vulnerability stemmed from a lack of rate limits for failed MFA attempts. When signing into a Microsoft account, users provide their email and password, followed by an MFA code sent through an alternative communication method. The absence of restrictions on the number of sign-in attempts enabled attackers to rapidly generate new sessions and systematically attempt code combinations.
With six-digit codes, there are 1 million possible combinations. Researchers exploited the flaw by using rapid and concurrent attempts to systematically enumerate these codes. This approach enabled them to bypass MFA protections in approximately one hour. Alarmingly, account owners received no alerts about these failed attempts, making the attack method stealthy and difficult to detect.
Contributing Factors
- Lack of Rate Limiting: The vulnerability was primarily due to Microsoft’s inadequate restrictions on failed MFA attempts. Researchers noted that they could execute numerous simultaneous attempts without triggering any defensive mechanisms.
- Extended Code Validity: According to the RFC-6238 standard for Time-Based One-Time Passwords (TOTP), MFA codes should expire after 30 seconds. However, Microsoft’s system allowed codes to remain valid for approximately three minutes, including a grace period of 2.5 minutes. This extended timeframe significantly increased the probability of guessing a correct code.
- Researchers calculated that within this extended period, a single session had a 3% chance of guessing the correct code. Over 24 sessions, the likelihood of success exceeded 50%, enabling attackers to compromise accounts with minimal effort.
The Exploitation Process
The attack, labeled “AuthQuake” by the researchers, involved the following steps:
- Rapid creation of new sessions and systematic code enumeration.
- Exploitation of the extended code validity period to maximize guessing attempts.
- Execution of multiple concurrent attempts, circumventing traditional alert systems that would notify account owners of suspicious activity.
In one instance, the researchers managed to guess the correct code early in their attempts, underscoring the vulnerability’s potential for swift exploitation.
Microsoft’s Response
Oasis Security disclosed the issue to Microsoft in June 2023. The company acknowledged the flaw and implemented a fix by October 9, 2023. According to Oasis Security, Microsoft introduced stricter rate-limiting mechanisms, which now activate after a defined number of failed attempts and remain in effect for approximately half a day.
While Microsoft has not disclosed specific details of the changes, the new limitations are expected to prevent attackers from executing the high-volume, rapid attempts that characterized the AuthQuake exploit.
Implications And Recommendations
The discovery of this vulnerability raises important questions about the security of MFA systems and the implementation of best practices:
- Rate Limiting: Organizations should enforce robust rate-limiting measures to prevent high-frequency attempts to bypass authentication mechanisms.
- Strict Adherence to Standards: MFA implementations should conform to the recommended code expiration timeframe of 30 seconds, as outlined in RFC-6238, to minimize the attack window.
- User Alerts: Authentication systems must provide real-time alerts for failed sign-in attempts, enabling users to detect and respond to unauthorized activity promptly.
- Regular Security Audits: Continuous testing and auditing of authentication systems can help identify and address vulnerabilities before they are exploited.
Data Breaches Continue To Prove That Defensive Postures Are Not Enough…”
“The Microsoft Azure MFA vulnerability exploited by the AuthQuake bypass technique reveals a critical gap in the security of widely used authentication systems,” commented Tim-Royston-Webb, CEO, SentryBay. “Data breaches continue to prove that defensive postures are not enough. As we have seen with this latest breach, MFA and other digital keys can be bypassed to exploit keyed ID’s and passwords. Only by encrypting the point of entry, namely the keyboard, will we complete the security layer to prevent ID exploitation.”
This incident follows a series of cybersecurity challenges faced by Microsoft in recent years, including breaches involving sensitive customer data and vulnerabilities in widely used services like Exchange and Teams. It underscores the need for constant vigilance in securing cloud-based platforms, which are increasingly targeted by sophisticated threat actors. This case also serves as a stark reminder for enterprises to regularly review and strengthen their authentication protocols to safeguard against emerging threats.
SentryBay’s Armored Client is the OEM at the heart of Citrix App Protection, and is now proven protection against infostealer malware for Microsoft AVD and W365 endpoints. The solution utilises endpoint access isolation in a manner which does not impact on performance and includes Keylogging, Screen Capture and Malicious Injection protection.
