September 21, 2022

A social engineering technique called “MFA fatigue,” also known as “MFA push spam,” is gaining traction as attackers use the technique to bypass multi-factor authentication checks.

An MFA fatigue attack occurs when a threat actor runs a script that attempts to log in repeatedly with stolen credentials, resulting in an endless stream of MFA push requests sent to the account holder’s mobile device.

In many cases, the threat actor disseminates repeated MFA notifications and then contacts the target via email, messaging platforms, or by phone, pretending to be IT support to convince the user to accept the MFA request.

Finally, the target people are so overwhelmed that they accidentally click the “Approve” button or simply accept the MFA request to end the flood of notifications sent to their phone.

The MFA fatigue technique is used by Lapsus$ and Yanluowang threat actors when they violate large organizations.

The MFA fatigue technique is only possible because the company’s multi-factor authentication is configured to use push notifications.

This type of notification allows employees to see a prompt on their mobile device when someone tries to log in with their login credentials, so one way to counter MFA fatigue is to disable MFA push notifications or enable number matching to increase security.

Employees are advised not to approve MFA requests and to ensure that they do not speak to unknown individuals pretending to be from their organizations.

Employees are advised to contact their IT department and report account compromises. It is also important that they change the password for the account. As soon as the password is changed, the threat actor can no longer issue MFA spam.

The sources for this piece include an article in BleepingComputer.