@adamshostack : not taking into account that I strongly advise against using weak MFA (because it it not phishing-resistant and comes with a lot of disadvantages "security experts" want nobody to know about):
yes.
See https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass (yesterday).
Source: https://infosec.exchange/@AAKL/113634744971043868
In short (if I understand correctly) Microsoft's servers would accept codes in a time window for upto 3 minutes. This enabled the researchers to conduct a brute force attack.
#WeakMFA #Weak2FA #TOTP #SMS #Voice #MFA #2FA #AitM #MitM #EvilProxy #Evilginx2