Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

Millions of Office 365 accounts vulnerable after shocking MFA bypass

The vulnerability revolves around the time-based one-time password (TOTP) system

byKerem Gülen
December 12, 2024
in News, Cybersecurity

A critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA) system has left millions of accounts exposed to unauthorized access. Discovered by Oasis Security, the flaw allows attackers to bypass MFA, impacting over 400 million Office 365 paid users. Exploitation of this weakness permits access to services like Outlook, OneDrive, and Azure Cloud with minimal effort. Microsoft has confirmed the issue and has implemented fixes.

Microsoft’s MFA vulnerability exposes millions to unauthorized access

The vulnerability revolves around the time-based one-time password (TOTP) system. Attackers could exploit insufficient rate-limiting mechanisms, granting them the ability to guess six-digit codes repeatedly. Users had up to three minutes—significantly longer than the standard interval of 30 seconds—during which these codes remained valid. This significantly increased the likelihood of a successful attack: attackers could achieve over a 50% success rate within approximately 70 minutes by initiating multiple sessions.

In the blog post detailing the findings, Oasis researchers detailed their method of exploitation, which they termed “AuthQuake.” They tested the flaw by rapidly creating new sessions and enumerating codes, demonstrating a high rate of simultaneous attempts that could exhaust the possible six-digit combinations quickly. These tactics were executed without user interference or alerts, making the attack method discreet.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

After being informed of the vulnerability, Microsoft released a temporary patch on July 4, 2024, followed by a permanent solution on October 9, 2024. The latter integrated stricter rate limits that reduce the number of attempts an attacker can make in a given time frame, enhancing security measures against such exploits.

Despite the resolution of this specific flaw, security experts underscore the critical need for continued vigilance. Recommendations for organizations using MFA include enforcing alerts for failed authentication attempts and regularly reviewing security configurations to identify potential vulnerabilities. Kris Bondi, Mimoto CEO, stressed the importance of treating MFA as a minimum acceptable practice rather than a state-of-the-art security measure. He indicated that even when MFA functions correctly, it only verifies the endpoint at a given moment, not necessarily confirming the user’s identity.


Microsoft Teams will stop working on older versions of Windows and macOS


Experts also advise against reliance on outdated MFA solutions. Jason Soroko, senior fellow at Sectigo, echoed the sentiment, emphasizing the need for organizations to adopt updated patches and consider moving towards passwordless authentication solutions for new implementations.

Emerging best practices include integrating mail alerts to notify users of unsuccessful MFA attempts while ensuring that MFA systems enforce rate limits that prevent indefinite sign-in trials. Organizations are also urged to implement measures that lock accounts after numerous failed attempts to thwart potential attackers.


Featured image credit: Ed Hardie/Unsplash

Tags: CybersecurityMicrosoft 365

Related Posts

Z.AI GLM-4.6 boosts context window to 200K tokens

Z.AI GLM-4.6 boosts context window to 200K tokens

October 2, 2025
OpenAI releases Sora 2, iOS app with real-world inserts

OpenAI releases Sora 2, iOS app with real-world inserts

October 2, 2025
Bitrig: SwiftUI apps from voice using Apple Intelligence

Bitrig: SwiftUI apps from voice using Apple Intelligence

October 2, 2025
Bengio warns hyper-AI preservation goals threaten humanity

Bengio warns hyper-AI preservation goals threaten humanity

October 2, 2025
Apple TV 4K to feature A17 Pro chip and Apple Intelligence

Apple TV 4K to feature A17 Pro chip and Apple Intelligence

October 2, 2025
Instagram tests Reels-first home tab in India

Instagram tests Reels-first home tab in India

October 2, 2025

LATEST NEWS

Z.AI GLM-4.6 boosts context window to 200K tokens

OpenAI releases Sora 2, iOS app with real-world inserts

Bitrig: SwiftUI apps from voice using Apple Intelligence

Bengio warns hyper-AI preservation goals threaten humanity

Apple TV 4K to feature A17 Pro chip and Apple Intelligence

Instagram tests Reels-first home tab in India

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.