[s09dfhks]

So they brute forced 2fac codes?

[hx833001]

Yes, because of a horrendous implementation by Microsoft. 3 minutes instead of 30 second TOTP validity and unlimited guesses.

[fckgw]

Technically, 10 guesses per session but unlimited sessions.

[m_xor_t]

I think so. But I would argue that it is a valid issue that they were able to do it. There are solutions to bruteforce attacks, such as rate limiting, exponential backoffs, alerting et cetera. I wonder why they are not in place for Azure MFA.