Microsoft Office 365 Users Are the Target of the Current MFA Fatigue Attack Campaign
Multi-factor Authentication, or MFA (also known as 2FA), is an excellent approach to safeguard your Office 365 accounts from intruders attempting to get access. It adds a second layer of security to the process of verifying the genuine identity of the individual attempting to log in, in addition to passwords.
We’ve discovered an active Multi-Factor Authentication Fatigue campaign that’s been compromising Microsoft Office 365 subscribers. Using this technique, an attacker could gain access to the sensitive information contained in the email in the context of the targeted user(s) and prepare more sophisticated attacks.
What is MFA Fatigue, exactly?
The phrase “MFA Fatigue” refers to the user receiving excessive messages or prompts via MFA applications in many accounts throughout the day to perform logins or approve various operations. It’s not the same as “Password Fatigue,” which occurs when a user becomes overwhelmed by the number of passwords or PINs they must remember for numerous accounts or occasions. MFA Fatigue and Password Fatigue have the same underlying theme: the user becomes “fatigued” (or overwhelmed by volume) and begins to disregard security best practices, putting their company and accounts at risk.
MFA can authenticate the user via various methods, including SMS messages or phone calls in which the user confirms their identity using a pre-configured phone number. Another way of verifying a user’s identification is to generate a passcode that is updated at predetermined intervals. Push notifications from an app are another option. We’ll concentrate on this authentication mechanism because it allows an attacker to launch a push notification spamming attack.
What is Push Notification Spamming, and how does it work?
This method is simple because it simply requires the attacker to send multiple push notifications while logging into the victim’s account manually or automatically. Once the attacker has correct credentials, the attacker will continue to harass the user with push notifications until the victim confirms the login attempt and grants the attacker access to the account. This occurs when the user is preoccupied or overwhelmed by the messages, and it can be mistaken as a bug or confused with other legitimate authentication requests in some instances.
This approach is compelling because it targets the human component of MFA rather than the technology. Many MFA users are unaware of this type of attack and are unaware that they approved a forged notification. Others want it to go away and are unaware of what they are doing because they regularly support such messages. They can’t notice the hazard because of the “notification overload.”
How to Prevent Spamming of Push Notifications
This type of attack can be mitigated in a variety of ways. We’ll highlight a few of them below so that M365 administrators can pick and choose what works best for them. We’ll concentrate on push notifications because password complexity rules and password reuse mitigations should already be in place.
Limits on Service Configuration – Configuring the default restrictions of the Multi-Factor Authentication service is one effective technique to safeguard your Microsoft 365 accounts against this attack.
Sign-In via Phone – By employing the Microsoft Authenticator’s phone sign-in verification technique, a user can help avoid unintended account access. A unique two-digit number is generated in this circumstance, which must be confirmed on both sides. It is challenging for an attacker to penetrate because the attacker is shown a number that must be guessed in the phone (which the attacker does not have access to). Only the attacker will know the number, and the user will have to choose one of three options to grant access. As a result, the chances of authorizing said access will be reduced.
Contact us today to know more about your IT Security Challenges and Threats, CSE will assist you in:
- Updating your security approach to reflect current market conditions.
- You can protect your identities, apps, clouds, and endpoints with comprehensive solutions.
- With proactive threat hunting and extended detection and response, we will help you eliminate blind spots.
- Identify security flaws in your multi-cloud settings and take steps to secure them.