Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

Millions of Office 365 accounts vulnerable after shocking MFA bypass

The vulnerability revolves around the time-based one-time password (TOTP) system

byKerem Gülen
December 12, 2024
in News, Cybersecurity

A critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA) system has left millions of accounts exposed to unauthorized access. Discovered by Oasis Security, the flaw allows attackers to bypass MFA, impacting over 400 million Office 365 paid users. Exploitation of this weakness permits access to services like Outlook, OneDrive, and Azure Cloud with minimal effort. Microsoft has confirmed the issue and has implemented fixes.

Microsoft’s MFA vulnerability exposes millions to unauthorized access

The vulnerability revolves around the time-based one-time password (TOTP) system. Attackers could exploit insufficient rate-limiting mechanisms, granting them the ability to guess six-digit codes repeatedly. Users had up to three minutes—significantly longer than the standard interval of 30 seconds—during which these codes remained valid. This significantly increased the likelihood of a successful attack: attackers could achieve over a 50% success rate within approximately 70 minutes by initiating multiple sessions.

In the blog post detailing the findings, Oasis researchers detailed their method of exploitation, which they termed “AuthQuake.” They tested the flaw by rapidly creating new sessions and enumerating codes, demonstrating a high rate of simultaneous attempts that could exhaust the possible six-digit combinations quickly. These tactics were executed without user interference or alerts, making the attack method discreet.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

After being informed of the vulnerability, Microsoft released a temporary patch on July 4, 2024, followed by a permanent solution on October 9, 2024. The latter integrated stricter rate limits that reduce the number of attempts an attacker can make in a given time frame, enhancing security measures against such exploits.

Despite the resolution of this specific flaw, security experts underscore the critical need for continued vigilance. Recommendations for organizations using MFA include enforcing alerts for failed authentication attempts and regularly reviewing security configurations to identify potential vulnerabilities. Kris Bondi, Mimoto CEO, stressed the importance of treating MFA as a minimum acceptable practice rather than a state-of-the-art security measure. He indicated that even when MFA functions correctly, it only verifies the endpoint at a given moment, not necessarily confirming the user’s identity.


Microsoft Teams will stop working on older versions of Windows and macOS


Experts also advise against reliance on outdated MFA solutions. Jason Soroko, senior fellow at Sectigo, echoed the sentiment, emphasizing the need for organizations to adopt updated patches and consider moving towards passwordless authentication solutions for new implementations.

Emerging best practices include integrating mail alerts to notify users of unsuccessful MFA attempts while ensuring that MFA systems enforce rate limits that prevent indefinite sign-in trials. Organizations are also urged to implement measures that lock accounts after numerous failed attempts to thwart potential attackers.


Featured image credit: Ed Hardie/Unsplash

Tags: CybersecurityMicrosoft 365

Related Posts

Is ChatGPT down again? Reports indicate ongoing outage

Is ChatGPT down again? Reports indicate ongoing outage

October 24, 2025
Path of Exile: Keepers of the Flame will be the Breach 2.0!

Path of Exile: Keepers of the Flame will be the Breach 2.0!

October 24, 2025
Google Meet now lets you move people in and out of meetings like a lobby

Google Meet now lets you move people in and out of meetings like a lobby

October 24, 2025
Sam Altman: AI will cause “strange or scary moments”

Sam Altman: AI will cause “strange or scary moments”

October 24, 2025
Anthropic gives Claude a real memory and lets users edit it directly

Anthropic gives Claude a real memory and lets users edit it directly

October 24, 2025
Nissan’s Sakura EV gets a solar roof that adds 1,800 miles a year

Nissan’s Sakura EV gets a solar roof that adds 1,800 miles a year

October 24, 2025

LATEST NEWS

Is ChatGPT down again? Reports indicate ongoing outage

Path of Exile: Keepers of the Flame will be the Breach 2.0!

Google Meet now lets you move people in and out of meetings like a lobby

Sam Altman: AI will cause “strange or scary moments”

Anthropic gives Claude a real memory and lets users edit it directly

Nissan’s Sakura EV gets a solar roof that adds 1,800 miles a year

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.