Researchers at Oasis Security discovered a critical flaw in Microsoft Azure's MFA, allowing unauthorized access to user accounts, including Outlook inboxes, through an unregulated rate of failed login attempts.
An engineer at Oasis stated that the lack of a rate limit on failed MFA attempts allowed them to quickly exhaust all possible 6-digit code combinations—leading to successful unauthorized access.
During the attack, account owners received no notification of suspicious activity, which left the vulnerability difficult to detect and allowed continued exploitation without users' awareness.
Microsoft recognized the vulnerability and implemented a fix in October 2023, establishing a stricter speed limit on login attempts to mitigate the risks of unauthorized access.
Collection
[
|
...
]