Malicious hackers are targeting Office 365 users with a spare of ‘MFA fatigue attacks’, bombarding victims with 2FA push notifications to trick them into authenticating their login attempts.
This is according to researchers from GoSecure, who have warned that there is an increase in attacks that are exploiting human behavior to gain access to devices.
Multi-factor authentication (MFA) fatigue is the name given to a technique used by adversaries to flood a user’s authentication app with push notifications in the hope they will accept and therefore enable an attacker to gain entry to an account or device.
In a blog posted earlier this week, GoSecure described the attack as “simple”, given that “it only requires the attacker to manually, or even automatically, send repeated push notifications while trying to log into the victim’s account”.
It does require the attacker to have the victim’s credentials, which “could be obtained via brute forcing, password reuse, or spraying”.
“Once the attacker obtains valid credentials, they will perform the push notification spamming repeatedly until the user approves the login attempt and lets the attacker gain access to the account.
“This usually happens because the user is distracted or overwhelmed by the notifications and, in some cases, it can be misinterpreted as a bug or confused with other legitimate authentication requests.”
‘Make it disappear’
GoSecure noted that the attack is particularly effective – not because of the technology involved, but because it targets the human factor via social engineering.
“Many MFA users are not familiar with this type of attack and would not understand they are approving a fraudulent notification,” researchers wrote.
“Others just want to make it disappear and are simply not aware of what they are doing since they approve similar notifications all the time. They can’t see through the ‘notification overload’ to spot the threat.”
The technique has been spotted in recent years in the wild, including during a 2021 campaign when Russian operatives were seen targeting Office 365 users via push notifications.
Research from Mandiant detailed how threat actors were observed executing multiple authentication attempts in short succession against accounts secured with MFA.
“In these cases, the threat actor had a valid username and password combination,” a blog post reads.
“Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor.
“The threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”
MFA PoC
GoSecure has published a proof of concept that demonstrates how the attack works in real time:
The researchers also detailed how an Office 365 user can detect multiple push notification attempts and advised on how to mitigate against attacks of this nature.
For example, a user could configure the default limits of the MFA service to allow a maximum number of push notification attempts in a certain time frame.
They could also help prevent inadvertent access to their account by using the phone sign-in verification method.
GoSecure explains: “In this scenario, a unique two-digit number is generated and must be confirmed on both sides.
“This is very hard for an attacker to compromise since the attacker is shown a number that must be guessed in the phone (which the attacker doesn’t have access to).”
Finally, a “radical move, but a quick solution” could be to disable the push notifications entirely.
GoSecure warned: “As app-based authentication mechanisms are being adopted increasingly as a safer way to authenticate a user (versus SMS or phone call) it is expected that this tendency will grow in the future, even be encouraged by Microsoft itself.”