Dubbed “Authquake,” the attack exploits vulnerabilities in MFA protocols, enabling brute-force attacks to compromise accounts even with MFA enabled.
Security researchers at OASIS Security have disclosed a critical attack method that allows adversaries to bypass Microsoft’s Multi-Factor Authentication (MFA) implementation.
Dubbed “Authquake,” the attack exploits vulnerabilities in MFA protocols, enabling brute-force attacks to compromise accounts even with MFA enabled.
Security researchers uncovered a critical flaw in Microsoft Azure’s Multi-Factor Authentication (MFA) method, enabling them to bypass protections and gain unauthorized access to user accounts in under an hour.
This breach granted access to sensitive services, including Outlook emails, OneDrive files, Teams chats, and Azure Cloud resources.
OASIS Security researchers have identified a critical vulnerability at its core, concerns a lack of rate limiting and an extended validation window for one-time codes.
This allows attackers to systematically enumerate all possible code permutations and execute brute- force attacks without triggering alerts or notifying the victim of failed login attempts.
The vulnerability window for Time-Based One-Time Passwords (TOTPs), which remain valid for up to 3 minutes instead of the standard 30 seconds. Combined with the absence of rate limits, attackers can rapidly test all one million possible TOTP combinations without triggering alerts or notifying victims.
In response to the critical MFA vulnerability uncovered by OASIS Security, Microsoft has implemented a much stricter rate limit to prevent brute-force attacks.
The new rate limit activates after a certain number of failed login attempts, blocking further attempts for approximately half a day. This change is aimed at mitigating the risk if unauthorised access by reducing the opportunity for attackers to exploit extended TOTP validity windows and conduct rapid brute-force attacks, while specific implementation details remain confidential.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.