Gaining access to critical systems and stealing sensitive data are top objectives for most cybercriminals. Social engineering and phishing are powerful tools to help them achieve both. That’s why multifactor authentication (MFA) has become such an important security measure for businesses and users. Without MFA as part of the user authentication process, it is much less challenging for an attacker with stolen credentials to authenticate a user’s account.
The primary goal of MFA is to reduce the risk of unauthorized access, especially in situations where passwords alone may not provide enough protection. Even if an attacker steals a user’s password, with MFA they still need the second factor (and maybe others) to gain access to an account. Examples of MFA factors include biometrics, like fingerprints, and signals from user devices, like GPS location.
MFA isn’t a perfect solution, though—it can be bypassed. Adversaries are relentless in their efforts to undermine any security defenses standing in the way of their success. (The evolution of phish kits for stealing MFA tokens is evidence of that.) But sometimes, attackers will choose to take an in-your-face approach that is not very creative or technical. MFA fatigue attacks fall into that category.
What are MFA fatigue attacks—and how do they work?
MFA fatigue attacks, also known as MFA bombing or MFA spamming, are a form of social engineering. They are designed to wear down a user’s patience so that they will accept an MFA request out of frustration or annoyance—and thus enable an attacker to access their account or device.
Many people encounter MFA requests daily, or even multiple times per day, as they sign-in to various apps, sites, systems and platforms. Receiving MFA requests via email, phone or other devices as part of that process is a routine occurrence.
So, it is logical for a user to assume that if they receive a push notification from an account that they know requires MFA, it is a legitimate request. And if they are very busy at the time that they receive several push notifications in quick succession to authenticate an account, they may be even more inclined to accept a request without scrutinizing it.
Here’s an overview of how an MFA fatigue attack works:
- A malicious actor obtains the username and password of their target. They can achieve this in various ways, from password-cracking tactics like brute-force attacks to targeted phishing attacks to purchasing stolen credentials on the dark web.
- The attacker then starts to send MFA notifications to the user continuously, usually via automation, until that individual feels overwhelmed and approves the login attempt just to make the requests stop. (Usually, the push notifications from MFA solutions require the user to simply click a “yes” button to authenticate from the registered device or email account.)
- Once the attacker has unauthorized access to the account, they can steal sensitive data, install malware and do other mischief, including impersonating the user they have compromised—taking their actions as far as they can or want to go.
3 examples of successful MFA fatigue attacks
To help your users understand the risk of MFA bombing attacks, you may want to include some real-world examples in your security awareness program on this topic. Here are three notable incidents, which are all associated with the same threat actor:
- Uber. In September 2022, Uber reported that an attacker affiliated with the threat actor group Lapsus$ had compromised a contractor’s account. The attacker may have purchased corporate account credentials on the dark web, Uber said in a security update. The contractor received several MFA notifications as the attacker tried to access the account—and eventually accepted one. After the attacker logged in to the account, they proceeded to access other accounts, achieving privilege escalation. One action the attacker took was to reconfigure Uber’s OpenDNS to display a graphic image on some of the company’s internal sites.
- Cisco. Cisco suffered a network breach in May 2022 that was traced back to an employee’s compromised Google account. The target received a high volume of voice phishing attempts and push notifications and succumbed to MFA fatigue. Cisco reported that the attackers stole non-sensitive data. Threat researchers with Cisco attributed the attack to “an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.”
- Microsoft. In March 2022, Microsoft confirmed that Lapsus$ had gained access to its network and stolen proprietary source code. The data breach was traced back to a user whose account was compromised, and who later fell victim to an MFA fatigue attack. Microsoft reported that the attackers “used two main techniques to satisfy MFA requirements—session token replay and using stolen passwords to trigger simple-approval MFA prompts hoping that the legitimate user of the compromised account” would authenticate.
How to prevent MFA fatigue attacks
MFA bombing can be an effective tactic. But attackers don’t always have to go to great lengths to convince users to authenticate their accounts. That’s because many users feel MFA fatigue, generally, and not just when they are hassled by a barrage of push notifications.
Users may not be as diligent as they should be when responding to MFA requests. Some may view the authentication process as a security hurdle that slows them down. And some users might even resent having to comply with a request to verify their identity.
Given these dynamics, you will want to provide security awareness training on MFA bombing attacks that will engage your users in a positive way. Otherwise, they may not be receptive to the messages—or see the need to change their behavior.
Your business will also want to consider adopting measures that can fortify your defenses and make the authentication process easier for your users. Streamlining authentication can reduce MFA exhaustion and fatigue. Solutions that might work for your business, depending on your security needs, include:
- Time-based one-time passwords (TOTPs). A TOTP is a temporary passcode generated by an algorithm. TOTPs are typically six characters long and change after 30 or 60 seconds. Google Authenticator and Microsoft Authenticator are examples. There are also smartphone applications that can generate a TOTP for a user after they scan a QR code with their device.
- Biometric authentication. A person’s unique characteristics, like their fingerprint, voice print or facial image, can be saved and encrypted. When a user needs to log in to their account, they resubmit their biometrics to verify their identity. Another example is FIDO2, which uses registered devices or FIDO2 security keys to verify possession and validate user identities.
- Context-aware authentication. This is an advanced approach to identity and access management. It considers various factors to make informed decisions about granting or denying a user access to an account. Factors may include information about a user, such as their role in the company, or the location of the user or their device when accessing an account.
- Adaptive authentication. These systems evaluate various contextual factors and risk indicators to assign a risk score to an access request. Factors may include:
- User behavior
- Device information
- Location
- Time of access
- Historical access patterns
Limiting unnecessary MFA prompts can also help decrease the risk of your users feeling MFA fatigue. Single sign-on technology and passwordless authentication are two approaches that allow users to access a service without the need for repeated prompting or verification.
Artificial intelligence (AI) and machine learning can help your business to prevent MFA fatigue attacks as well. These advanced technologies can amplify threat detection by helping security teams identify anomalies in user behavior patterns. An unusual pattern would be an excessive number of push notifications sent in a short period, which may signal MFA bombing.
Robust security policies and practices also help
Password policies can play a crucial role in making it harder for attackers to guess or crack users’ passwords. Consider instituting a password policy that requires users to create passphrases that have more than 20 characters and requires the use of special characters. (For more best practices, see our Password Awareness Kit.)
You can also go a long way toward mitigating the damage of successful MFA attacks by embracing the concept of least privilege access. Also known as the principle of least privilege (POLP), this approach aims to restrict individuals, apps or systems to the minimum level of access or permissions they need to perform their authorized tasks—and nothing more. This helps to reduce your attack surface and limit any damages in the event of a breach.
A final tip: share knowledge about MFA attacks
If your business experiences a breach that you can trace back to MFA bombing, consider sharing your experiences and the lessons you have learned with the cybersecurity community. This can help defenders to research MFA attack methods and trends and develop solutions that can thwart the efforts of threat actors using this approach.
Learn more
Proofpoint can help your business defend against MFA fatigue attacks in several ways. Our targeted security awareness will help your users learn how to safely respond to MFA fatigue attacks. In the event that your environment is breached, Proofpoint Targeted Attack Protection (TAP) can detect and remediate any damages caused by an attack. And finally, Proofpoint Sigma provides powerful information protection solutions that merge content classification, threat telemetry and user behavior across all channels.