A new critical security flaw in Microsoft’s multi-factor authentication (MFA) system has been discovered. It enables attackers to easily bypass the protection and gain unauthorized access to user accounts. Review this Cybersecurity Threat Advisory to learn how to mitigate your risk.
What is the threat?
This vulnerability sits in the time-based one-time password (TOTP) system used in MFA solutions. Microsoft’s implementation enables bad actors to repeatedly input six-digit codes because of the inadequate rate-limiting mechanism. Additionally, the codes remain valid for three minutes—far longer than the standard 30 seconds—significantly increasing the likelihood of a successful attack.
By rapidly initiating multiple sessions and executing brute-force attempts, bad actors are achieving a success rate of over 50 percent within just 70 minutes. The speed and sophistication of this attack method leaves users unaware of any ongoing breach.
Why is it noteworthy?
This vulnerability enables attackers to bypass the second layer of authentication and gain access to services such as Outlook, OneDrive, Teams, and Azure Cloud. This bypass requires minimal time and effort, taking as little as an hour to execute. Furthermore, It does not require any user interaction and fails to notify account holders upon the breach.
What is the exposure or risk?
Currently, there are millions of accounts using Microsoft’s MFA system at risk of unauthorized access. While MFA is a powerful defense, its effectiveness relies on key configurations, such as rate limiting to prevent brute-force attacks and user notifications for failed login attempts. These are essential features to improve visibility for users to detect suspicious activity early and respond quickly.
What are the recommendations?
Barracuda recommends the following actions to protect your environment against this exposure:
- Ensure all Microsoft tools and services are updated with the latest patches.
- Use access policies to restrict login attempts based on location, device, or risk level.
- Leverage a proactive monitoring service like Barracuda XDR Cloud Security to detect and alert any unusual login activity.
- Review login logs regularly for unusual or unauthorized activity (in this case, failed logins exceeding certain predefined thresholds).
- Train employees to recognize phishing attempts and avoid approving suspicious MFA prompts.
References
For more in-depth information on the above recommendations, please visit the following link:
- https://thehackernews.com/2024/12/microsoft-mfa-authquake-flaw-enabled.html
- https://www.infosecurity-magazine.com/news/microsoft-azure-mfa-flaw-access/
- https://cyberhoot.com/blog/microsofts-authquake-mfa-flaw/
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.