Get in Touch Close Menu

The Rise of MFA Fatigue Attacks

24 October 2022

Sapphire has been tracking a trending attack vector known as ‘Multifactor Authentication (MFA) Fatigue’ (MITRE ID: T1621).

Several high-profile organisations, including Cisco Talos, Microsoft, and Uber, have been breached by threat actors who have utilised this technique. Whilst MFA plays a significant part in strengthening an organisation’s cybersecurity posture, it is not a ‘silver bullet’.

Organisations should be aware of this technique and how Managed Security Service Providers, like Sapphire, can assist with detection and prevention.

Research conducted by Microsoft concerning these attacks found that 1% of users would ‘blindly’ accept the first MFA push notification they receive on their mobile (regardless if it were the legitimate account owner that triggered it).

Data from August 2022 showed 40,942 MFA Fatigue attacks were recorded, the most significant volume of any given month over the last two years.

What is MFA Fatigue?

MFA Fatigue is also being termed, in the cybersecurity world, as ‘MFA Spamming’, ‘MFA Bombing’ and ‘MFA Bypass’; however, the premise remains the same.

A threat actor, who has successfully obtained their victim’s compromised credentials (username and password), attempts to log in to the victim’s account. However, they must now bypass whatever MFA ‘wall’ is presented to them to gain access.

Typically, the threat actor can trigger a push notification, such as an ‘MFA Yes/No Prompt’ (shown right), in the hopes that their victim accepts this prompt (pictured below).

The effectiveness of this attack technique can be strengthened by increasing the frequency at which the user is sent MFA prompts. The threat actor’s goal is to send a significant enough volume of these requests that the victim eventually tires of receiving them and clicks ‘Yes’ to stop the notifications.

Accompanying social engineering tactics have also been reported.

For example the threat actor impersonates a ‘Helpdesk’ email account asking the victim to accept the MFA prompt, further bolstering this attack’s success rate.

Due to the continued increase in remote working, MFA is a frequently utilised method of securing some Internet-exposed services. Threat actors who successfully perform MFA fatigue-style attacks to gain initial access to an organisation’s network typically proceed to move laterally and deploy additional tools to aid further compromise.

In the case of Cisco Talos, they reported the deployment of Impacket (packet interceptor), Mimikatz (credential stealer), PowerSploit (command injection), Cobalt Strike (command and control) and Team Viewer (remote access) tooling.

Recommendations

An immediate action that can typically reduce the likelihood of a successful attack would be to enable a ‘Push Notification with Number Challenge’ instead of a simple ‘Yes/No Push Notification Challenge’.

By doing so, end users must select a number from a selection of choices that matches what they see on the authentication page.

Since an attacker does not have visibility of this number, they cannot simply rely on a user hitting ‘Yes’ (see below).

Additionally, if users receive notifications, their credentials have been compromised, and their passwords should be reset as soon as possible. This ensures that the threat actor can no longer generate push notifications on the victim’s device.

How Can Sapphire Help You Against MFA Fatigue Attack?

Cyber Threat Intelligence Services

As part of Sapphire’s Cyber Threat Intelligence service, our customers receive in-depth monthly (and ad-hoc) reporting on trending threat actor techniques that pose a risk to their network. Here we can track trending methods and provide insight into the industries that may be targeted specifically.

Indicators of compromise can be gathered as soon as they become available and fed back into our Managed SIEM service, providing a continuous feedback loop for detection opportunities.

Our Cyber Threat Intelligence aims to provide actionable information to customers that they can use to take proactive security measures to reduce the likelihood of a successful attack.

SIEM as a Service

The SOC Team can quickly create custom detection rules in response to emerging threats and threat actor techniques. To help detect Okta-based MFA Fatigue-style attacks, we have created the Rule ‘IA: Okta MFA Fatigue / Bypass Attempt’.

This alerts our 24/7 Analysts to an account producing a suspicious volume of ‘MFA Prompt’ logs – a precursor to an attack.

We can build additional detection and alerting capabilities by utilising the latest Indicators of Compromise (IOCs), as uncovered via our Threat Intelligence and OSINT sources.

An essential aspect of the MFA Bypass attacks was that the threat actor could gain access to the victim’s credentials in the first place. This is often possible if the victim’s account has been subject to a data breach.

Attackers will often scour credential leakage sites to find victims’ email addresses. Sapphire’s Analysts also have access to tools that alert customers before an attacker can put the credentials to use.

Single Sign-On and Multifactor Authentication

Products, processes and policies can be provisioned to help secure user identities and regulate user access in an organisation.

Security Awareness Training

Sapphire also delivers Phishing and Social Engineering awareness training

This can increase staff awareness of the threats posed by MFA Fatigue-style attacks. Where technical controls fail, a cyber-aware workforce can effectively link the chain as an additional barrier against successful attacks.

A ‘Defence-in-Depth’ strategy is the best approach to defending an organisation against threat actors. We continue improving our customers’ cybersecurity posture with Sapphire’s combination of technical solutions and services.

MFA Fatigue Attacks

Learn how to defend your organisation against MFA Fatigue Attacks.

Contact a member of our team today.

I agree to the terms & conditions

Related Articles

Sapphire Acquires Awen to Expand IT/OT Services Portfolio
27 September 2023

Appointment of new CEO, Ian Thomas, and acquisition signals next phase of growth for wholly UK-based Sapphire Darlington, UK – 27th September 2023 – Sapphire, the UK based pure-play cyber security solutions provider, today announced the acquisition of Awen Collective, a cyber security software company dedicated to reducing the risks of cyberattacks to Operational Technology (OT). The acquisition […]

Find Out More
Data Breach Reporting: How Quickly Should It Be Done?
20 September 2023

Organisations must protect data and respond quickly and transparently during a data breach. However, despite their relentless efforts, data breaches remain a persistent and formidable threat. But, the good thing is that data breach reporting plays a crucial role in data protection. How quickly should a data breach be reported when it occurs? A slow […]

Find Out More
Authentication vs Authorisation: Understanding the Difference
15 September 2023

In today’s digital age, where information is a valuable asset and data breaches are a constant threat, ensuring the security of systems and sensitive information is paramount. Two fundamental concepts are pivotal in safeguarding digital assets: authentication vs authorisation. While often used interchangeably, these terms have distinct roles in information security. We will delve deep […]

Find Out More