Notifications
Clear all
Topic starter
06/06/2026 2:01 am
TL;DR: A Microsoft Azure MFA implementation flaw allowed attackers to bypass second-factor checks, with no user interaction or alerting, and the team showed the attack could be executed in about an hour, according to Oasis Security. The lesson is that MFA strength depends on validation design, not just factor presence, because broken rate limits and session handling can nullify the control.
NHIMG editorial — based on content published by Oasis Security: Oasis Security Research Team Discovers Microsoft Azure MFA Bypass
By the numbers:
- Microsoft has more than 400 million paid Office 365 seats.
- 10 consequent failed attempts were allowed for a, for a single session.
Questions worth separating out
Q: How should security teams harden MFA against code-guessing attacks?
A: Security teams should harden MFA by combining strict retry limits, short validation windows, and high-signal alerting on repeated second-factor failures.
Q: Why do MFA implementations still fail even when a second factor is enabled?
A: MFA fails when the validation process is weaker than the factor itself.
Q: What should organisations monitor to catch MFA bypass attempts early?
A: Organisations should monitor bursts of failed second-factor attempts, unusual session creation patterns, and logins that keep failing from the same account within a short period.
Practitioner guidance
- Test MFA as an attack chain Simulate repeated second-factor failures across fresh sessions and confirm that lockout, throttling, and telemetry trigger before a practical brute-force path emerges.
- Tighten second-factor retry policy Set explicit retry ceilings for each session and ensure that new-session creation does not reset the effective attack budget without additional controls.
- Reduce code-window tolerance where possible Validate whether your MFA implementation accepts more than one time step and whether that tolerance is operationally justified for your user population.
What's in the full analysis
Oasis Security's full blog post covers the implementation details this analysis intentionally leaves for the source:
- A step-by-step walkthrough of how the login session could be reused to enumerate second-factor codes.
- The observed Microsoft sign-in timing behaviour, including the practical impact of the extended acceptance window.
- The vendor's description of the temporary and permanent fix timeline after disclosure.
- The team's specific guidance for turning failed second-factor events into actionable alerts.
👉 Read Oasis Security's analysis of the Azure MFA bypass and validation flaw →
Azure MFA bypass: what identity teams should change now?
Explore further
06/06/2026 3:27 am
MFA bypasses are rarely failures of factor presence. They are failures of validation governance. The issue here was not that Microsoft 365 lacked MFA, but that the validation layer allowed enough retries and enough time for guessing to become viable. That means identity teams must examine how second factors are enforced, not just whether they are enabled. The practitioner takeaway is that control assurance has to include the validator, the session, and the alerting path.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% only partial visibility.
A question worth separating out:
Q: Who is accountable when MFA is bypassed in a cloud identity stack?
A: Accountability sits with the identity owner, the application team, and the control operator together. MFA bypass is not only a user risk, it is a control-design failure that should be reviewed under access governance, authentication assurance, and incident response processes. That is especially true where a single login opens email, storage, chat, and cloud access.
👉 Read our full editorial: Microsoft Azure MFA bypass exposes weak validation assumptions
