What Are MFA Fatigue Attacks? How MFA Bombing Tricks Users and Compromises Accounts

Multi-factor authentication (MFA) fatigue attack is a social engineering tactic where attackers send numerous calls or push notifications to a person's authenticator app or phone, hoping the person will eventually accept one. The attackers then gain access to the account. In some cases, the attacker may pose as a trusted figure like a coworker in IT.

MFA fatigue attacks are also known as:

• MFA prompt bombing

• MFA push spam

• MFA bombing

• MFA push bombing

The technique has seen a rise in popularity and has shown that MFA on its own isn’t fully secure. Let's review how MFA fatigue attacks work and what organizations can do to protect themselves.

The quick version:

• An attacker uses stolen credentials to log into an account. Security measures require some form of MFA to get full access to the account.

• The attacker sends endless push requests to the account owner's mobile device.

• The account owner accepts a push request, either simply to stop the bombardment, or because the attacker uses social engineering tactics to convince the account owner it’s a legit push request.
  

MFA fatigue attacks can only begin when an attacker has gained the correct login credentials. There are various ways attackers can collect usernames and passwords, including buying them from hacker groups, using brute force attacks, credential stuffing, and more.

An attacker often needs more than the correct credentials though. Once they have entered the credentials into the account, they are faced with the MFA prompt. Traditionally, this has been viewed as enough to stop attackers from gaining access to an account. But attackers evolve.

Attackers can enter the credentials hundreds of times and create hundreds of prompts on the recipient's device in a short period of time with the help of an automated script. They specifically target mobile push notifications that alert a recipient to an MFA request. These prompts usually ask something like "Approve sign-in?" with Approve or Deny options.

The multiple requests can easily frustrate the recipient, and they may accept the push-notification-based MFA accidentally, out of fatigue, or confusion.

In a more hands-on scenario, attackers could call the recipient and pretend to be IT support or another trusted source. Then they can convince the recipient to accept the push-notification MFA.

To put it simply, MFA bombing is growing in frequency because it works. Many organizations now rely on MFA to secure their environments, so a nefarious workaround is a natural progression.

Cybersecurity is an arms race: every advancement in the industry presents a challenge for attackers. And since cyberattack groups are sophisticated and financially motivated, there is a tangible reward to discovering workarounds. Once a cyberattack group discovers a successful technique like MFA bypassing, other groups follow suit.

One of the biggest challenges attackers face in compromising an account is the MFA layer. While there are various methods to steal account credentials, actually gaining access is another matter. But the success of MFA fatigue attacks has proven that it's possible to bypass the MFA if attackers use the right strategy and if organizations aren't prepared for the threat.

There are several recent incidents of hackers gaining access using the MFA fatigue attack technique. It’s commonly associated with Lapsus$ and Yanluowang hacker groups, but the tactic may continue to grow in popularity as other groups adopt it.

Here are a couple of recent examples of MFA fatigue attacks:

• Cisco: Threat actors used vishing to steal a Cisco employee’s login credentials. The threat actors then used voice phishing attacks to impersonate trusted sources and convince the victim to accept an MFA push notification. The attackers gained access to the corporate VPN and eventually compromised Cisco systems.

• Uber: An Uber contractor's personal device had malware that stole their login credentials. It's believed the credentials were sold on the dark web. The attacker then implemented an MFA fatigue attack, and the Uber contractor eventually accepted one of the MFA requests. The attacker was then able to access several employee accounts.

The Cybersecurity & Infrastructure Security Agency (CISA) released a guide on implementing phishing-resistant MFA and number matching in MFA applications. Some of the organization's recommendations include:

• Implement MFA for all users and all services, including email, file sharing, and financial account access. Any MFA is better than no MFA.

• Phishing-resistant MFA is the gold standard, including:

  • FIDO/WebAuthn authentication: Separate physical tokens or embedded into devices as "platform" authenticators.

  • Public key infrastructure (PKI)-based MFA: A security chip is inserted into a smart card, and the card must be directly connected to the device for the user to log in.

• If an organization can't implement a phishing-resistant MFA, move to a more secure form of MFA like number matching or token-based MFA. This helps prevent MFA fatigue by requiring users to have access to the login screen to enter the code, which discourages prompt spam.

• Upgrade systems to include MFA or migrate to new systems that support MFA.

• If needed, implement MFA in phases and prioritize valuable resources (email systems, file servers, and remote access systems) and high-target users (system administrators, lawyers, or HR staff).

• Employee security awareness training should include recognizing MFA fatigue and how to report MFA fatigue attacks.

• IT security teams should investigate denied push notifications since it could indicate a user's login credentials have been compromised.

Mitigating MFA fatigue attacks is crucial to protect your company data and email accounts.

To learn more about how Abnormal Security can stop modern email security threats, request a demo to see how we do it.