What is an MFA fatigue attack?
An MFA fatigue attack is a cyber attack where criminals target a user’s multiple factor authentication (MFA, also known as 2FA) app by sending many push requests for account access. Unfortunately, some users relent and criminals gain entry.
Does this mean the end of MFA?
Absolutely not! Just as cyber attacks on passwords don’t stop us using passwords, MFA attacks shouldn’t discourage us from using this important defensive weapon against cyber criminals. We just need to be mindful of the tactics criminals are employing to use this tool against us.
So who is at risk?
Potentially anyone using MFA, but reports suggest Microsoft 365 users have been particularly targeted.
What is MFA prompt bombing?
MFA prompt bombing is another phrase to describe MFA fatigue attacks and refers to the way criminals bombard users with scores of requests for access. It explains why people are falling prey to this incursion: in the wake of this flood of requests, some users, irritated, panicked, or fed up, grant access to stop them.
How are criminals able to send these notifications?
Because they have log in and password credentials, often by brute-forcing a user’s account. In other words, the attackers have already gained information about a user account and are looking for the final piece of the puzzle to gain entry. Of course, if you use proper password protocols, you should be able to avoid these types of attacks. More on prevention later.
Who is doing it?
Research from the threat intelligence expert Mandiant has revealed that in a 2021 MFA fatigue attack campaign, Russian operatives targeted Office 365 users.
How do I know if people in my organisation have been subject to MFA fatigue attacks?
Your IT team can sign in to the Azure Active Directory admin centre to check the sign-in logs and generate a list of Failed Status or denied MFA push notifications. This can help reveal if you have been attacked.
Organisations with Microsoft E3 and E5, or standalone AzureAD P1 licensing, can view up to 30 days of sign-in activity from the Azure Portal.
Alternatively, further information can be gathered from the audit logs in the Microsoft Purview compliance portal. As standard, audit logs are available for up to 90 days. However, this can be extended through purchase of Office 365 E5 or Microsoft 365 E5. There are also several standalone licenses available to purchase.
How can I protect my Microsoft account from MFA fatigue attacks?
You can protect your Microsoft account from MFA fatigue attacks by using Azure tools and disabling phone call authentication.
Azure admins can configure the default limits of the MFA service to lower the number of push notifications allowed in a certain timeframe. This will help prevent prompt bombing.
More significantly, as Intersys senior consultant Jake Ives says, ‘Number matching is a new phone sign-in mechanism available in the security section of the Azure AD Portal. Activate it for MFA to generate a unique, two-digit number that must be confirmed on both sides. This makes it harder for criminals to undertake MFA fatigue attacks –they are shown a number they must tap into the phone’s app to complete sign in but, of course, they don’t have access to the phone. This feature will eventually be rolled out as a default setting.’
Intersys helps organisations of all sizes protect their data and people from cyber criminals. Our cyber security services division can work with your own IT team to provide everything from breach response to full security operations centre services, with plans to suit every organisation.