Researchers at Oasis Security have managed to bypass MFA protection in Microsoft Azure. Millions of accounts were unknowingly vulnerable to compromise.

Enabling MFA is (rightly) considered a best practice in IT security. However, MFA is not 100% waterproof, especially if the software supplier does not offer it in a compliant manner. This is the conclusion reached by researchers at Oasis Security when they examined Microsoft Azure’s MFA security.

The researchers discovered a critical vulnerability in the MFA implementation. This vulnerability essentially allowed attackers to bypass MFA protection and gain unauthorized access to accounts, including emails in Outlook, files in OneDrive, conversations in Teams, and Azure Cloud. Microsoft has now introduced a permanent solution. MFA has been mandatory for all Azure customers for several months.

Two mistakes

According to Oasis Security, Microsoft made two crucial mistakes. First, there was no limit on the number of failed attempts per session. An MFA login process requires a user to enter a six-digit verification code after entering their email address and password. Researchers found that multiple sessions could be created in quick succession, allowing large amounts of code to be tested. This increased the chances of success without warnings to the account holder.

An additional problem was that verification codes, which are normally only valid for 30 seconds, were still being accepted by Microsoft for up to three minutes after they were generated. This gave attackers additional time to guess the correct code. In less than 70 minutes there was a better than 50 percent chance of a successful attack.

Oasis Security reported the vulnerability in June 2024. Microsoft responded quickly with a workaround in July and released a permanent fix in October. The update adds a strict limit on the number of attempts allowed to prevent brute force attacks.

This is not the first time that Microsoft has been criticized for inadequate MFA security. Two years ago, Google subsidiary Mandiant discovered a damaging security flaw. Microsoft apparently only intervenes when an error is pointed out to it.

Recommendations

Although the research identifies a vulnerability in MFA, Oasis Security researchers still recommend enabling it if possible. With a few additional measures you can make your accounts almost watertight:

• Enable MFA: Use authentication apps or stronger methods like passwordless authentication.
• Monitor failed MFA attempts: Set up an alert for failed second factor attempts to quickly identify suspicious activity.
• Check for leaked credentials: Change passwords regularly to limit the impact of stolen credentials.