MFA Fatigue Attacks

Oct 1, 2024

A social engineering tactic tied to numerous cybersecurity incidents and breaches

About the Threat

As reported by Bleeping Computer, high-profile organizations are increasingly being targeted—and impacted—by multi-factor authentication (MFA) fatigue attacks. An MFA fatigue attack (also known as MFA exhaustion or prompt bombing) is a type of social engineering attack where a threat actor attempts to log into an account with stolen credentials, resulting in the account owner being bombarded with MFA push notifications requesting account access. The threat actor relies on the account owner to eventually approve one of the requests, thereby giving the threat actor access to devices and systems protected by the MFA application.

What You Should Know

MFA remains an important account protection tool, but it’s critical that users understand its limitations—and the warning signs associated with MFA fatigue attacks. Following is suggested text that can be used in email, internal chat, or other communication channels. Please review and adjust as needed, paying particular attention to the highlighted text. If your organization recommends or requires use of certain authentication tools, it’s advisable to remind users about that in this communication.

Threat Alert: What to Watch For

  • Numerous high-profile organizations have recently fallen victim to what are known as “multi-factor authentication (MFA) fatigue attacks” or “MFA prompt bombing.”
  • In these attacks, a threat actor uses a set of compromised credentials to repeatedly attempt to log into an account that is protected via a certain type of MFA technology.
  • Each login attempt generates a multi-factor approval request that is delivered to the account owner (often via a mobile phone). The account owner must then either approve or deny the request.
  • The attackers hope that the recipient will tire of (or become “fatigued” by) the repeated requests and eventually approve the login, giving the attacker access to the account
  • In some cases, an attacker might even impersonate IT support staff and contact an account owner directly (by phone, email, or a messaging app) to encourage them to accept a request.
  • Depending on the account they gain access to, the attacker could leverage that initial access to further compromise an individual or an organization.

Key Actions: How to Handle Suspicious Authentication Requests

  • If you receive any authentication request for a login that you did not initiate, do not approve it.
  • For work-related accounts and systems, report suspicious approval requests to your security team as soon as possible. Be sure to note if you have received multiple login requests over a short period of time as this is an indication of an MFA fatigue attack.
  • Change your account password if you receive an unusual MFA request. Most authentication requests occur after login credentials (usually a username and password) are entered. So, if you receive one or more unexpected MFA approval requests for an account, it’s a sign that your login credentials were previously compromised and obtained by an attacker.
  • If you believe you accidentally approved a suspicious MFA request, alert your security team ASAP.

MFA remains a valuable account protection tool, and we recommend you always opt into MFA on personal accounts when available.  If you have a choice on your personal accounts, we suggest using those tools there as well.

But keep in mind that MFA is not a failsafe. Attackers continue to seek opportunities to bypass and compromise MFA protections. If you’re concerned one of your work accounts has been compromised, please contact your local IT department or send an email to security@uchicago.edu as soon as possible. We’re here to help!

Additional Resources

#secureourworld