Update, Dec. 14, 2024: This story, originally published Dec. 13 now includes a statement from Microsoft about the 2FA bypass vulnerability and the impact it has observed on users.
Security researchers have revealed how they discovered a critical Microsoft vulnerability in the two-factor authentication defenses meant to protect users against hacker attacks. The vulnerability, which Microsoft has now remediated, put 400 million users of Office 365 at risk of a 2FA bypass attack requiring no user interaction, triggering no alerts and only taking an hour to complete. Here's what you need to know.
A new report from Oasis Security has gone into technical detail of how researchers were able to involver a critical two-factor authentication bypass vulnerability that potentially impacted Microsoft accounts providing access to Outlook emails, OneDrive files, Teams chats and the Azure Cloud. "Microsoft has more than 400 million paid Office 365 seats," the researchers warned, "making the consequences of this vulnerability far-reaching."
Far-reaching indeed, yet the actual exploit itself was shockingly simple: It got around a 10-attempt code fail rate limit to enable an attacker to execute a lot of attempts simultaneously, allowing the researchers to quickly exhaust the total number of options for a 6-digit two-factor authentication code.
"The limit of 10 consequent fails was only applied to the temporary session object," the researchers explained, "which can be regenerated by repeating the described process, with not enough of a rate limit." What made matters worse, a lot worse in fact, was that during this attack process the account holder was not made aware of any failed attempts by email or other alerting mechanism, so the attacker could keep under the radar and continue at their leisure.
I reached out to Microsoft for a statement, and a spokesperson told me: "We appreciate the partnership with Oasis security in responsibly disclosing this issue. We have already released an update and no customer action is required."
Oasis reported the flaw to Microsoft, which confirmed the vulnerability on June 24 and deployed a permanent fix on Oct. 9. The Oasis researchers said that the full details of the fix remain confidential but confirmed that a stricter 2FA failure rate limit was introduced.
In further conversation with Microsoft, and to add context to the reported vulnerability and exploit methodology, I was told that Microsoft has security monitoring in place to detect just this type of 2FA bypass abuse. The Microsoft spokesperson said that the company had "not seen any evidence this technique has been used against our customers."
This kind of exploit is not confined just to Microsoft, with 2FA bypass attacks being far from uncommon across most popular platforms. You can read more about them here, here and here. However, most 2FA bypass attacks do not use this direct approach of attempting to avoid failure rate limiters, a specific vulnerability would have to be identified, as in this case, for that to happen. Instead, what we tend to see are exploit kits such as Rockstar 2FA in action. This phishing-as-a-service kit, which has been seen targeting Microsoft and Google users, is available to rent for as little as a couple of hundred dollars a week.
The common factor in most attacks is redirecting the target using phishing tactics to land them on a legitimate-looking site where they will be asked to login. When the user enters their 2FA code, the attacker will intercept and store the session cookie. This flags the user session as fully authorized and, once in the possession of an attacker, allows them to re-run that session as the authenticated user. You can read a fascinating article exploring methods of mitigating such phishing attacks here.