Multi-factor authentication (MFA) is a great way to add an extra layer of security to network access. But it’s not foolproof – as Cisco, Microsoft, and Uber all learned recently when cybercriminals breached their network using a technique known as MFA spamming.
Also known as MFA bombing and MFA fatigue, this ploy is used by an attacker who has acquired a compromised password, but can’t use it to break into the network because the account is protected with a MFA requirement. So to get the account owner to authenticate a login attempt, the attacker makes repeated attempts to log in to the account, often at odd hours or over several days.
By generating a flood of MFA verification calls, emails, or other prompts, the attacker is trying to make the targeted user confused or frustrated enough to approve the login. Then the attacker can create a way to keep accessing the account without having to prompt the user again, which props open a door to the rest of the network.
We recommend taking these steps to protect your company against MFA spamming attacks:
- Educate users on this specific attack technique and train them to deny any unexpected or suspicious MFA prompts
- Consider deploying conditional access policies that require trusted and healthy devices or locations in addition to multi-factor authentication
- Deploy critical MFA enhancements, including number matching and authentication context
- Use modern authentication protocols everywhere possible (including VPN and RDS) that can leverage advanced protections such as sign-in risk and device compliance
- Use weak authentication factors like text messages, simple voice approvals, or secondary email addresses
- Use location-based exclusions. An attacker who compromises a single identity can then compromise a set of other identities with a single factor using location exclusions
Xantrion can provide additional layers of protection via our Managed Security program, which is designed to alert our engineers to suspicious account activity. Among other things, we look for these indications of attempted MFA spamming:
- Indications that a login token is outdated or being used from an unfamiliar location
- Sign-in properties that aren’t associated with the account’s legitimate user, such as using multiple proxies or VPNs originating in other countries or regions
- Unfamiliar sign-in properties for session cookies, such as token claims, token age, and other authentication attributes
- Sign-in attempts from anonymous IP addresses like those used by an anonymous VPN or the Tor browser
Contact us today to learn more about MFA spamming and how to defend against it.