Researchers Demonstrate Microsoft Azure MFA Bypass Through Code Guessing

by Justin Erickson

Security researchers have revealed a method to bypass Microsoft Azure’s Multi-Factor Authentication (MFA) by exploiting weaknesses in the system’s handling of authentication codes. By systematically guessing MFA codes over an extended period, attackers can potentially gain unauthorized access to user accounts. This bypass relies on exploiting rate-limiting and retry mechanisms within Azure’s MFA implementation. On October 9th, the issue was fully patched – with a temporary fix previously implemented on July 4th.