Cybersecurity Awareness Month Tip - MFA Fatigue Attacks
Threat Alert: What to Watch For in MFA Fatigue Attacks
- Numerous high-profile organizations have recently fallen victim to what are known as “multi-factor authentication (MFA) fatigue attacks” or “MFA prompt bombing.”
- In these attacks, a threat actor uses a set of compromised credentials to repeatedly attempt to log into an account that is protected via a certain type of MFA technology.
- Each login attempt generates a Duo request that is delivered to the account owner (via a mobile phone). The account owner must then either approve or deny the request.
- The attackers hope that the recipient will tire of (or become “fatigued” by) the repeated requests and eventually approve the login, giving the attacker access to the account.
- In some cases, an attacker might even impersonate IT support staff and contact an account owner directly (by phone, email, or a messaging app) to encourage them to accept a request.
- Depending on the account they gain access to, the attacker could leverage that initial access to further compromise an individual or an organization.
Key Actions: How to Handle Suspicious Authentication Requests
- If you receive any authentication request for a login that you did not initiate, do not approve it.
- For work-related accounts and systems, report suspicious approval requests to your security team as soon as possible. Be sure to note if you have received multiple login requests over a short period of time as this is an indication of an MFA fatigue attack.
- Change your account password if you receive an unusual MFA request. Most authentication requests occur after login credentials (NetID and password) are entered. So, if you receive one or more unexpected MFA approval requests for an account, it’s a sign that your login credentials were previously compromised and obtained by an attacker.
- If you believe you accidentally approved a suspicious MFA request, alert your security team ASAP at email@example.com.
MFA remains a valuable account protection tool, and we recommend you always opt into MFA on personal accounts when available. Our organization currently uses Duo for internal accounts and systems. If you have a choice on your personal accounts, we suggest using those tools there as well.
But keep in mind that MFA is not a failsafe. Attackers continue to seek opportunities to bypass and compromise MFA protections. If you’re concerned one of your work accounts has been compromised, please contact us as soon as possible. We’re here to help.
For more information, contact ITSecurity / 4054 / ITSecurity@fairfield.edu