Multi-factor Authentication offers added protection against unauthorized access to an application by prompting the intended user with a push notification or email in order to successfully log-in. Upon confirmation the user is granted access to the application.

The team at GoSecure Titan Labs have recently identified that cybercriminals are using a technique called “MFA Fatigue” as an attack vector to access the Microsoft 365 accounts of their targets.

MFA Fatigue isn’t a terribly sophisticated attack. It works by essentially spamming the victim (whose credentials were previously discovered by the attacker) with MFA push notifications in hopes the victim will eventually accept the prompt (out of fatigue) and unknowingly grant the attacker access to the device.

It is being recommended that IT departments begin monitoring Azure’s sign-in logs, and filter for sign-in status by failures in order to monitor for this attack. This will provide a log of denied MFA push notifications that can be configured for alerts.

There are ways to mitigate this attack including the configuration of default limits of MFA authentication as well as enabling Microsoft’s Authentication Phone Sign-in Verification. This thwarts the attack by asking the intended user of the application to enter the digits seen on the login screen. In an attack scenario, only the attacker would see these digits and the victim would be protected against accepting the MFA notification out of “fatigue”.

Contact us today to schedule a no-obligation consultation to discuss ways to protect ourselves from MFA Fatigue and the current rise in Push Notification Spamming attacks.