Oasis Security Research Team Discovers Microsoft Azure MFA Bypass
2024-12-12
Oasis Security's research team discovered a critical vulnerability in Microsoft Azure's Multi-Factor Authentication (MFA) implementation. Attackers could bypass MFA to gain unauthorized access to user accounts, including Outlook, OneDrive, Teams, and Azure Cloud. The vulnerability exploited the lack of rate limiting, allowing rapid session creation and code enumeration to exhaust the possibilities of a 6-digit code without alerts. Microsoft has since implemented a stricter rate limit to address the issue. This highlights the importance of enabling MFA and monitoring failed attempts.