A critical vulnerability in Microsoft’s multi-factor authentication (MFA) — dubbed "AuthQuake" — could let attackers bypass MFA and gain unauthorized access to a user’s account.
Discovered by Oasis Security, the researchers reported in a Dec. 11 blog post that the bypass could let attackers access Outlook emails, OneDrive files, Teams chats, and the Azure Cloud.
Because Microsoft has more than 400 million paid Office 365 seats, the consequences of this vulnerability has potentially high impact across numerous industries, especially since there was about a four-month gap between the time it was reported and a patch was released.
Tal Hason, a security researcher at Oasis Security, said while the team doesn’t know exactly when AuthQuake originated, they do know it was exposed for at least several months before it was discovered. Hason said Oasis reported the bug to Microsoft in June.
“The patch was applied to their backend systems, so there wasn’t any user-facing update,” said Hason. “Microsoft fixed the flaw in October.”
A Microsoft spokesperson issued the following statement: “We appreciate the partnership with Oasis Security in responsibly disclosing this issue. We have already released an update and no customer action is required."
The Microsoft spokesperson added that it now has monitoring in place to detect this type of abuse and has not seen any evidence this technique been used against Microsoft customers.
According to the Oasis researchers, here’s the crux of the issue: the bypass exploited the lack of rate limiting and an extended timeframe for validating Time-Based One-Time Password (TOTP) codes.
By rapidly creating new sessions and enumerating codes, the Oasis research team demonstrated a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code. This would let a user could execute many attempts simultaneously.
A single TOTP code may be valid for more than 30 seconds. When Oasis Security’s team ran a test with a Microsoft sign-in, it showed a tolerance of around three minutes for a single code, extending 2.5 minutes past its expiration, allowing six times more log-in attempts to be sent.
Given the allowed rate, the Oasis researchers said they had a 3% chance of correctly guessing the code within the extended timeframe. After 24 such sessions — roughly more than 70 minutes — the researchers said a malicious actor would already pass the 50% chance of hitting a valid code: very good odds for the hackers.
Jason Soroko, senior fellow at Sectigo, said AuthQuake exposes significant flaws in Microsoft’s MFA implementation, revealing an important fact: Authentication systems based on shared secrets are inherently vulnerable.
Soroko added that this is essentially a configuration error that everyone should check now. He said all MFA should have rate limiting set to a reasonable level.
“If you can't answer the question of whether you have this vulnerability mitigated with appropriate rate limiting, then stop what you're doing and check,” said Soroko. “Organizations must act to adopt patches and reconsider their reliance on outdated MFA solutions. We must strive toward passwordless authentication solutions, especially for net new implementations.”
Kris Bondi, co-founder and CEO of Mimoto, said the latest report from Oasis Security on AuthQuake highlights significant problems with MFA overall. Bondi said when MFA gets compromised, it quickly switches from a security tool to a significant attack vector.
Bondi added that by gaining access to accounts of the 400 million paid users of Office 365, bad actors would be able to stealthily perform reconnaissance to find the most valuable systems and data. Bondi said attackers could add additional hidden ways in for root access, such as reverse shells, which would bypass future authentication.
“While MFA is better than the use of credentials alone, it should be considered an organization's minimum acceptable practice, not a state-of-the-art security measure,” said Bondi. “Even when MFA is operating as expected, it's validating an endpoint at a specific point in time, not confirming it's the correct person. Given the ease of getting around MFA and its broad use, it would be hard to understate the severity of this vulnerability. Addressing this issue should rank among an organization’s highest priorities.”
Itzik Alvas, co-founder and CEO at Entro Security, explained that this exploit requires attackers to leverage a valid username and password to bypass Microsoft's MFA using a brute force technique where the attacker rapidly cycles through all possible MFA codes before Microsoft's timeout window is expired.
“While Microsoft has resolved the behavior so MFA can no longer be brute-forced, this exploit highlights the importance of frequently rotating passwords and keys, monitoring exposure locations for compromised credentials, and alerting on failed login and access attempts,” said Alvas. “Implementing these measures can significantly reduce risk, even if another MFA exploit were discovered by an attacker.”
Damir J. Brescic, chief information security officer at Inversion6, said this research points out that MFA is not infallible, and organizations should not rely solely on MFA to secure their systems or critical data. Brescic said while MFA is still a valuable security control, teams should implement it as part of a comprehensive defense-in-depth strategy that includes other measures such as network segmentation, lease privileged access, and ongoing security monitoring.
Here are some of Brescic’s action recommendations:
- Deploy a privileged access management solution as a second factor, which is less susceptible to this type of a bypass.
- Enforce conditional access policies based on users location.
- Review the organization's monitoring and detection capabilities — focus on the authentication logs to detect and respond to any type of suspicious activity.
- Implement additional network security measures, such as intrusion detection/intrusion prevention systems.
- Segment the critical data behind an Bastion Host aka jump box.
- Consider looking into biometric authentication methods, which are becoming increasingly reliable and extremely user friendly, such as fingerprint or facial recognition.
- Research platforms that offer behavioral analytics that can help detect anomalous behavior as well as prevent unauthorized access in real time.
