Source: Dark Reading
Author: Elizabeth Montalbano, Contributing Writer
URL: https://www.darkreading.com/cyberattacks-data-breaches/researchers-crack-microsoft-azure-mfa-hour
## ONE SENTENCE SUMMARY:
Researchers discovered a critical vulnerability in Microsoft Azure MFA that allowed rapid unauthorized access to user accounts.
## MAIN POINTS:
1. Oasis Security researchers found a flaw in Microsoft Azure’s multifactor authentication (MFA).
2. The vulnerability allowed unauthorized access to Microsoft 365 accounts affecting over 400 million users.
3. The attack, called “AuthQuake,” involved exhausting 6-digit code possibilities rapidly.
4. Users received no alerts during failed sign-in attempts, masking the attack’s presence.
5. Microsoft acknowledged the issue in June, fully fixing it by October 9.
6. Attackers had an extended 2.5-minute window to guess a single MFA code.
7. The attackers’ chance of successfully guessing the code increased significantly due to this time extension.
8. Oasis recommended using authenticator apps and strong passwordless methods for security.
9. Regular password changes are essential for maintaining account security.
10. Organizations should implement alerts for failed MFA attempts to enhance user awareness.
## TAKEAWAYS:
1. MFA is not infallible, and vulnerabilities can expose user accounts.
2. Rate limits on sign in attempts are crucial to prevent brute force attacks.
3. Immediate alerts for suspicious sign-in activity can enhance user account security.
4. Organizations must enforce stricter time limits on code validity for better security.
5. Regular training and best practices in password hygiene are key to protecting accounts.