The vulnerability allows attackers to make up to 10 failed login attempts per session without triggering alerts, significantly easing the process of guessing time-based one-time passwords (TOTP).

The vulnerability has been remediated by Microsoft, which confirmed the issue in June 2024 and rolled out a permanent fix by October 2024.

Oasis Security recommends that organizations implement strict rate limits and lock accounts after consecutive failed attempts to enhance overall security.

Oasis Security has uncovered a critical vulnerability in Microsoft's multifactor authentication (MFA) system, known as AuthQuake, which compromises over 400 million paid Microsoft 365 accounts, including Outlook, OneDrive, and Teams.

This exploit enables cybercriminals to exhaust the 1 million possible combinations of a 6-digit code through simultaneous attempts, bypassing MFA without any user interaction.

Researchers found that the TOTP codes could remain valid for up to 3 minutes, rather than the recommended 30 seconds, providing attackers with additional opportunities to guess the correct code.

In response to the vulnerability, Microsoft has implemented stricter rate limits on failed login attempts, which remain in effect for about half a day after reaching a threshold.

Testing indicated that after approximately 70 minutes of attempts across 24 sessions, attackers had over a 50% chance of successfully guessing a valid code, underscoring the vulnerability's severity.

To bolster MFA security, Oasis recommends using authenticator apps or strong passwordless methods, alongside implementing email alerts for failed MFA attempts.

Experts stress that while MFA is a robust security measure, its effectiveness hinges on proper configuration, including rate limits and user notifications.

Users are advised to stay vigilant and consider additional security measures to protect against such vulnerabilities.

Cybersecurity researcher Jason Soroko highlighted the serious implications of this incident for Microsoft's MFA implementation, urging organizations to adopt more stringent security measures.