Security researchers have flagged a critical vulnerability in Microsoft’s multi-factor authentication (MFA) system, called “AuthQuake,” that could allow attackers to bypass protections and gain unauthorized account access. Their report[1] details how the flaw required no user interaction, did not generate alerts, and took less than an hour to execute. While multi-factor authentication (MFA) is a solid security mechanism, such flaws make it a double-edged sword due to the nature of the user’s reliance on and interaction with it.
The vulnerability affects one of several ways Microsoft authenticates users, specifically, the method that involves entering a six-digit, one-time code from an authenticator app. These codes are typically active for only 30 seconds before they are rotated. Researchers found that the flaw allowed codes to remain valid for up to three minutes due to a lack of rate limiting, thus enabling an attacker to brute-force all possible code combinations and start new login sessions without notifying the victim.
Though Microsoft has addressed the issue by implementing stricter rate limits and now locks accounts after several failed login attempts, researchers warn that effective MFA requires additional safeguards, such as immediate user notifications for failed logins and robust rate-limiting mechanisms. MFA is an essential part of cybersecurity best practices, but its efficacy is tied to proper configuration in order to trigger rapid responses to suspicious activity.
Discovering AuthQuake underscores how important thorough security policies surrounding authentication systems are and that even widely-used measures like MFA must be properly implemented, tested, and updated to ensure organizations and users are protected against threat actors skimming for low hanging fruits in the form of vulnerabilities.[2]
Link to full video: https://youtu.be/E0Kt6LUZc0w
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://pages.oasis.security/rs/106-PZV-596/images/oasis-security-authquake-mfa-bypass.pdf/
[2] https://www.sentinelone.com/cybersecurity-101/cybersecurity/what-is-a-security-vulnerability/
Comments