Multi-Factor Authentication (MFA) fatigue (also known as MFA prompt spamming) is a relatively new term that has become more prevalent following the recent news of the LAPSUS$ and Microsoft hack attacks. There are currently numerous MFA options available, including One Time Passwords (OTP), SMS, and push notifications from the Microsoft Authenticator app.

While the purpose of these methods is to provide additional protection, attackers can always employ new hacking techniques. However, MFA prompt spamming is one viable option amongst hackers right now.

The most frequently asked question when conversing about MFA prompt spamming is, "Is MFA secure?" Well, the answer is yes, depending on the type of MFA. According to Microsoft, using MFA prevents about 99% of attacks on media accounts and other account types. This shows that it's preferable to having no MFA configured.

Introduction to MFA fatigue

'MFA prompt spamming' has been a well-known attack vector for years and has been used in the real world for the past two years. The LAPSUS$ attack just popularised this style of MFA spamming. This also proves why companies must ensure that employees learn to protect themselves and the company.

In an MFA prompt spamming, the attacker generates MFA prompts with the expectation that the user/target accepts the MFA request. When the username and password are available, an attacker can simply create an MFA prompt (via call, push, etc.). They continue to spam until the frustrated target accepts (intentionally or by error) the MFA prompt, granting them initial access for information theft or malicious activities.

This article will focus on the push notification spamming method, the most popular method used in MFA attacks.

How does push notification spamming work?

The LAPSUS$ attack emphasised the shortcomings of various MFA alternatives, with a strong focus on the push notifications approach.

This approach is straightforward since it merely requires that the attacker sends many notifications while automatically or manually authenticating the victim's account. Once the attacker has obtained the necessary credentials, the attacker will continue to annoy the victim with push notifications until the target gives approval to the login attempt and provides the hacker access.

This can only happen when the user gets overwhelmed or distracted by the notifications, as it can sometimes be confused with other genuine login attempts in most instances.

This method is appealing since it focuses on the human side of MFA rather than the technology. Many users opting for MFA are unaware of the attack and may not realise they have authorised a fraudulent login attempt. In trying to answer and clear notification, victims unintentionally accede to the request and get hacked. Because of "notification overload," they are unable to detect the threat.

How to prevent push notification spamming

There are several techniques to mitigate the chances of this sort of assault happening to you. A few of these techniques will be highlighted below so that users and administrators can select what suits them best.

Sign-In through other devices (phones, tabs)

A user can prevent unauthorised account access by using Microsoft Authenticator's phone verification of sign-in.

In this case, a special two-digit number is created, which must be validated on the two sides. It is difficult for an attacker to break in since he or she is shown a number that has to be entered into the phone (that the attacker cannot access). The attacker will be the only one who knows the number (other than the user), and the user must select one of three alternatives to give access. As a result, the likelihood of granting said access will be lowered.

Service configuration restrictions

Configuring the Multi-Factor Authentication service's default limits is one effective way to protect your Microsoft 365 accounts from this attack.

Below are some suggestions for identity security for Microsoft:

  • MFA should be required for all users in all locations.
  • Use Microsoft Authentication with FIDO tokens or number matching enabled.
  • Implement risk-based sign-in policies prohibiting high-impact acts such as device enrollment and MFA registration.
  • Keep break-glass accounts offline and out of online password managers.
  • Azure AD Password Protection prevents readily guessable passwords.

What a good IT service provider should offer

A good IT service provider will assist you in the following areas:

  • Updating your security approach to suit current market realities.
  • Safeguarding your identities, apps, clouds, and endpoints with complete solutions.
  • Help eliminate blind spots through proactive threat hunting and extended detection and response.
  • Identify and address any security issues in your multi-cloud configurations.

Ensure your MFA authentication process is as solid as ever

Looking for a dependable and efficient Managed IT services provider in Australia? Netcare is an excellent choice.

We are an Australian IT service support and delivery firm offering different and distinct forms of managed IT services. We have several offices in various cities in Australia. With our proprietary Netcare Technology Success process, you are in line to get the best IT service delivery nationwide.

Contact us today online or at (02) 9114 9920.