Oasis Security Research Team Discovers Microsoft Azure MFA Bypass: We Expect More From An Enterprise Provider Though

Danie
The image shows a dark, cracked earth in the foreground, suggesting a sense of vulnerability or fragility. In the background, there's a dark blue gradient that fills the space, punctuated by a grid of small plus symbols at the top and bottom, adding a technological or digital feel. A central element is a rectangular box with the word "AuthQuake" in a salmon-pink color, indicating a possible security breach. The box is connected by a dotted line to an arrow, implying movement or an ongoing process. The gradient background subtly transitions from dark to slightly lighter, creating depth.

Oasis Security’s research team uncovered a critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA) implementation, allowing attackers to bypass it and gain unauthorized access to the user’s account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more. Microsoft has more than 400 million paid Office 365 seats, making the consequences of this vulnerability far-reaching.

The bypass was simple: it took around an hour to execute, required no user interaction, and did not generate any notification or provide the account holder with any indication of trouble.

The news surfaced now in the last week, so Microsoft has addressed the issue already. For me, though, the real news is that a global enterprise level IT company should not have had such basic guardrails missing. It appears really that Microsoft had knowingly relaxed some measures around its 2FA to allow for convenience. But surely a lack of attack rate limiting is just unforgivable. One of the basics I always employ on my servers and blog, is attack rate limiting with lengthy blocks in place. If anyone has to guess a password or 2FA more than 3 times, there is something wrong.

Microsoft has had so many security fumbles over time that it is quite amazing that their monopoly in the workplace goes unchallenged. It seems Microsoft has very little care about their customers, as long as the money is rolling in, and if that eases, they just change the licensing parameters a bit. The recent Microsoft Recall feature was just another example of completely not appreciating their customers’ privacy, and that was also only addressed after a major outcry.

Microsoft probably has too much inertia, but actually there are some pretty good alternatives around if one takes a little trouble to rise out of the deep rut. The combination of pretty admin tools, AI, and cloud services has unfortunately made many admins way too lazy today. I think the quality of our admins on the edge, is a lot weaker than it used to be two decades back. All this usually means an even greater reliance on Microsoft where it is used in a corporate environment.

Security is about keeping it simple, and having a reasonable depth of knowledge about what is being managed.

See https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.