Researchers Crack Microsoft Azure MFA in an Hour

A critical flaw in the company’s rate limit for failed sign-in attempts allowed unauthorized access to a user account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.

Researchers cracked a Microsoft Azure method for multifactor authentication (MFA) in about an hour, due to a critical vulnerability that allowed them unauthorized access to a user’s account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.

Researchers at Oasis Security discovered the flaw, which was present due to a lack of rate limit for the amount of times someone could attempt to sign in with MFA and fail when trying to access an account, they revealed in a blog post on Dec. 11. The flaw exposed the more than 400 million paid Microsoft 365 seats to potential account takeover, they said.

When signing into a Microsoft account, a user supplies their email and password and then selects a pre-configured MFA method. In the case used by the researchers, they are given a code by Microsoft via another form of communication to facilitate sign-in.

The researchers achieved the bypass, which they dubbed “AuthQuake,” by “rapidly creating new sessions and enumerating codes,” Tal Hason, an Oasis research engineer, wrote in the post. This allowed them to demonstrate “a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code,” which is 1 million, he explained.

“Simply put — one could execute many attempts simultaneously,” Hason wrote. Moreover, during the multiple failed attempts to sign in, account owners did not receive any alert about the activity, “making this vulnerability and attack technique dangerously low profile,” Hason wrote.

Oasis informed Microsoft of the issue, which acknowledged its existence in June and fixed it permanently by Oct. 9, the researchers said. “While specific details of the changes are confidential, we can confirm that Microsoft introduced a much stricter rate limit that kicks in after a number of failed attempts; the strict limit lasts around half a day,” Hason wrote.

Elisabeth Montalbano

Kommentar verfassen Kommentieren abbrechen

London, GB

4:37 am, März 17, 2025

5°C

L: 5° | H: 6°

Fühlt sich an wie 3°C° overcast clouds

Luftfeuchtigkeit: 83 %

Druck: 1028 mb

Wind: 6 mph NE

Windböe: 0 mph

UV-Index: 0

Niederschlag: 0 mm

Wolken: 100%

Regen Chance: 0%

Sichtbarkeit: 10 km

Sonnenaufgang: 6:09 am

Sonnenuntergang: 6:07 pm

TäglichStündlich

Tägliche VorhersageStündliche Vorhersage

Today 9:00 pm

5° | 6°°C 0 mm 0% 10 mph 83 % 1028 mb 0 mm/h

Tomorrow 9:00 pm

3° | 9°°C 0 mm 0% 12 mph 69 % 1027 mb 0 mm/h

Mi. März 19 9:00 pm

3° | 15°°C 0 mm 0% 6 mph 82 % 1022 mb 0 mm/h

Do. März 20 9:00 pm

8° | 16°°C 0 mm 0% 8 mph 74 % 1021 mb 0 mm/h

Fr. März 21 9:00 pm

9° | 13°°C 0.2 mm 20% 6 mph 93 % 1015 mb 0 mm/h

Today 6:00 am

3° | 5°°C 0 mm 0% 7 mph 83 % 1028 mb 0 mm/h

Today 9:00 am

5° | 6°°C 0 mm 0% 10 mph 76 % 1028 mb 0 mm/h

Today 12:00 pm

7° | 8°°C 0 mm 0% 10 mph 64 % 1028 mb 0 mm/h

Today 3:00 pm

8° | 8°°C 0 mm 0% 10 mph 56 % 1027 mb 0 mm/h

Today 6:00 pm

6° | 6°°C 0 mm 0% 10 mph 73 % 1028 mb 0 mm/h

Today 9:00 pm

5° | 5°°C 0 mm 0% 9 mph 76 % 1028 mb 0 mm/h

Tomorrow 12:00 am

5° | 5°°C 0 mm 0% 9 mph 67 % 1027 mb 0 mm/h

Tomorrow 3:00 am

4° | 4°°C 0 mm 0% 7 mph 69 % 1026 mb 0 mm/h

Name	Preis	24H (%)
Bitcoin(BTC)	€76,983.89	-0.58%
Ethereum(ETH)	€1,752.81	-0.94%
Fesseln(USDT)	€0.92	-0.01%
XRP(XRP)	€2.18	-0.86%
Solana(SOL)	€118.59	-4.68%
USDC(USDC)	€0.92	0.00%
Dogecoin(DOGE)	€0.158819	-1.14%
Shiba Inu(SHIB)	€0.000012	3.78%
Pepe(PEPE)	€0.000006	-4.43%
Peanut das Eichhörnchen(PNUT)	€0.189641	20.47%

Researchers Crack Microsoft Azure MFA in an Hour

Teilen:

Kommentar verfassen Kommentieren abbrechen

Verbindung zum Dienstprogramm

Nützlicher Link

Newsletter

Folgen Sie uns