In December 2024, Oasis Security researchers uncovered a critical vulnerability in Microsoft's Multi-Factor Authentication (MFA) system, known as "AuthQuake." This flaw allowed attackers to bypass MFA protections, potentially granting unauthorized access to over 400 million Microsoft 365 accounts. (oasis.security)

Background Information

Multi-Factor Authentication is a security measure that requires users to provide two or more verification factors to gain access to a resource, enhancing account security. Microsoft's MFA system employs Time-Based One-Time Passwords (TOTPs) generated by authenticator apps, which are typically valid for 30 seconds. However, due to network delays and time discrepancies, these codes can remain valid for up to three minutes. (oasis.security)

The Vulnerability: AuthQuake

The AuthQuake vulnerability exploited two primary weaknesses in Microsoft's MFA implementation:

  1. Lack of Rate Limiting: The system permitted up to 10 consecutive failed attempts per session without imposing strict rate limits. Attackers could rapidly create new sessions and attempt multiple code combinations simultaneously, effectively bypassing the 10-attempt limit per session. (oasis.security)
  2. Extended Code Validity: TOTPs were valid for approximately three minutes, providing attackers with a 3% chance of guessing the correct code per attempt. After 24 such sessions (approximately 70 minutes), the probability of success exceeded 50%. (oasis.security)

Implications and Impact

The vulnerability had significant implications:

  • Unauthorized Access: Attackers could gain access to sensitive data across Microsoft services, including Outlook emails, OneDrive files, Teams chats, and Azure Cloud instances. (oasis.security)
  • Stealthy Exploitation: The attack required no user interaction and did not generate notifications, making it difficult for users to detect unauthorized access. (oasis.security)
  • Widespread Risk: With over 400 million paid Office 365 subscriptions, the potential impact was vast, affecting a significant portion of Microsoft's user base. (oasis.security)

Technical Details

The exploitation process involved:

  1. Session Creation: Attackers initiated multiple login sessions to circumvent the 10-attempt limit per session.
  2. Code Enumeration: By generating and testing all possible six-digit code combinations, attackers could systematically identify the correct code.
  3. Extended Validity Window: The three-minute validity period of TOTPs allowed attackers ample time to perform brute-force attacks without triggering security alerts. (oasis.security)

Microsoft's Response

Upon discovery, Oasis Security reported the vulnerability to Microsoft, which acknowledged the issue on June 24, 2024. A temporary fix was deployed on July 4, 2024, followed by a permanent solution on October 9, 2024. The fix involved implementing stricter rate limits that activate after a number of failed attempts, lasting approximately half a day. (oasis.security)

Recommendations for Organizations

To mitigate similar vulnerabilities, organizations should:

  • Enable MFA: Implement Multi-Factor Authentication using secure methods like authenticator apps or passwordless solutions.
  • Monitor Failed Attempts: Set up alerts for failed MFA attempts to detect and respond to potential attacks promptly.
  • Regularly Update Credentials: Encourage users to change passwords regularly and monitor for signs of compromised credentials.

Conclusion

The AuthQuake vulnerability underscores the importance of robust and properly configured MFA systems. Organizations must remain vigilant, regularly update security protocols, and educate users to enhance overall cybersecurity posture.