Recent investigations have shown a significant increase in the number of attacks that leverage Push Notification Spamming, which ultimately penetrate Office 365 accounts and even compromise entire organizations. As corporations like Microsoft move away from SMS and voice-based authentication, analysts say the adoption of app-based authentication has opened the door for cybercriminals to benefit from MFA Fatigue.
What is MFA Fatigue?
“MFA Fatigue” is when an attacker overloads a victim’s device by “pushing” notifications or prompts via MFA (Multi-Factor Authentication) applications. This method fatigues the user until they approve the login attempt, after which a hacker gains control of the account. To do this, an attacker must initially have the user’s credentials, which can be obtained via brute force attacks, password reuse, or spraying. An attacker would first launch an “MFA auto-retry script” and try to sign in using the victim’s credentials. Then, the attacker will click on “I can’t use my Microsoft Authenticator app right now” in an app that notifies the victim to approve sign-in. The notifications are sent repeatedly until a user eventually gives in and approves. “Many MFA users are not familiar with this type of attack and would not understand they are approving a fraudulent notification,” said GoSecure. GoSecure has published a video demonstration of this attack vector on their YouTube channel.
High-profile Russian threat actors use this method
Multiple clusters of “Russian intrusion activity” targeting governments and businesses around the world are using this method, according to Mandiant security researchers.
How to Detect MFA Fatigue in Microsoft 365
Security researchers recommend that IT professionals take the following steps to detect multiple push notifications; More detailed information can be found in GoSecure’s blog post.
How to Resolve Push Notification Spamming
Microsoft 365 administrators can choose a variety of ways to fight MFA Fatigue. One way is to configure service limits (the default limits) of the Multi-Factor Authentication service, which can be found here. Another way is to use Microsoft Authenticator’s phone sign-in verification method where a “unique two-digit number is generated and must be confirmed on both sides.” This makes it very difficult for an attacker to compromise anything. Finally, an administrator can disable Push Notifications completely as a verification method by following these steps:
Microsoft Office 365 Security Problems
Microsoft Office 365, used by millions of companies and over 50 million users around the world, is well-known in IT security circles for its security problems, vulnerabilities, and stability issues. Some of these problems include frequent phishing attacks and unsecured code leading to vulnerabilities.
MFA Fatigue is a New Area of Concern
“MFA Fatigue is a real concern with potential implications to compromise Microsoft Office 365 accounts, but there are many ways to protect ourselves from MFA Fatigue and the current rise in Push Notification Spamming attacks” said GoSecure.