Skip to content
Sign In Subscribe
The best new electronics.2fa bypassMicrosoft 2faTwo-factor authenticationMicrosoft security warningOffice 365 2fa bypass hackBypassing office 365 2fa2fa bypass attackBypassing microsoft 2faOffice 365 2faHacking two-factor authentication

Microsoft Issues Alert Over Confirmed Bypass of No-User-Interaction Two-Factor Authentication Attacks

Researchers unveiled a method to bypass Microsoft's two-factor authentication without requiring user involvement, accomplishing the task within an hour and avoiding detection alerts. Here's the essential information.

 and  Administrator
3 min read
Two-Factor Verification showcasing a visual depiction of the 2FA principle on a digital screen.
Two-Factor Verification showcasing a visual depiction of the 2FA principle on a digital screen.

Microsoft Issues Alert Over Confirmed Bypass of No-User-Interaction Two-Factor Authentication Attacks

Update, Dec. 14, 2024: This report, initially published Dec. 13, now contains a statement from Microsoft about the 2FA bypass vulnerability and its impact on users.

Researchers have uncovered a major flaw in Microsoft's two-factor authentication (2FA) protections, which were supposed to safeguard users against cyberattacks. The vulnerability, now addressed by Microsoft, placed at risk roughly 400 million users of Office 365, enabling a 2FA bypass assault requiring no user engagement, producing no alerts, and completing in just an hour. Here's what you need to know.

Breaking Down the Microsoft 2FA Bypass Vulnerability

In a recent study by Oasis Security, researchers detailed the process of exploiting a critical 2FA bypass vulnerability that potentially impacted Microsoft accounts providing access to Outlook emails, OneDrive files, Teams chats, and the Azure Cloud. “Microsoft manages more than 400 million paid Office 365 subscriptions,” the researchers cautioned, “making the ramifications of this vulnerability far-reaching.”

The exploit itself was stunningly straightforward: It bypassed a 10-attempt code failure rate limit, allowing an attacker to execute numerous attempts simultaneously, allowing the researchers to swiftly exhaust the possible combinations for a 6-digit 2FA code with ease.

“The 10 consecutive failure limit only applied to the temporary session object,” the researchers explained, “which can be regenerated by repeating the described process, with not enough of a rate limit.” To make matters worse, during this attack process, the account holder was never notified of any failed attempts through email or other alert mechanisms, allowing the attacker to remain undetected and proceed at their leisure.

Microsoft Responds to 2FA Bypass Vulnerability Report

I reached out to Microsoft for a comment, and a spokesperson replied: "We're grateful for Oasis Security's collaboration in responsibly disclosing this issue. We've already released an update, and no user action is needed."

Oasis exposed the flaw to Microsoft, which confirmed the vulnerability on June 24 and deployed a permanent fix on Oct. 9. Oasis kept the specifics of the fix under wraps but confirmed that a stricter 2FA failure rate limit was implemented.

Through further conversation with Microsoft, I gained insights into the reported vulnerability and exploit methods. Microsoft has security monitoring in place to detect such 2FA bypass abuse, and the company has yet to see any evidence that this technique has been utilized against customers.

Coping Strategies Against 2FA Bypass Attacks

This type of exploit is not exclusive to Microsoft; 2FA bypass attacks are relatively common across popular platforms. You can learn more about them here, here, and here. Most 2FA bypass attacks do not employ this approach of evading rate limiters, requiring the identification of a specific vulnerability as demonstrated in this case. Rather, what we often observe are exploit kits like Rockstar 2FA in action. This phishing-as-a-service kit, targeting Microsoft and Google users, can be rented for as little as several hundred dollars per week.

The common thread in most attacks is luring the target with phishing tactics to a legitimate-looking site where they will be prompted to log in. When the user enters their 2FA code, the attacker intercepts and saves the session cookie. This marks the user session as fully authorized and, once in the attacker's possession, allows them to repetitively run that session as the authenticated user. You can read a compelling article exploring ways to combat such phishing attacks here.

  1. The vulnerability in Microsoft's 2FA system allowed for a hack known as 'office 365 2FA bypass hack,' putting over 400 million users at risk.
  2. To bypass Microsoft's 2FA, attackers exploited a flaw that enabled them to bypass a 10-attempt code failure rate limit, permitting numerous attempts simultaneously.
  3. Microsoft responded to the report by acknowledging the vulnerability, releasing an update, and implementing a stricter 2FA failure rate limit to prevent future 2FA bypass attacks.
  4. While 2FA bypass attacks are not exclusive to Microsoft, a common method involves phishing tactics to intercept and save session cookies, allowing attackers to impersonate authenticated users.
  5. To protect against 2FA bypass attacks, users should remain vigilant and educate themselves about phishing techniques, as well as implement additional security measures to strengthen their account defenses.

Read also:

    Comments

    Related

    Latest