How to Avoid the Latest Cyberthreat: MFA Notification Fatigue

By Bob Satyal, Security Officer, Med Tech Solutions

The breach of MGM Resorts and Caesar’s Entertainment properties in Las Vegas was a high-profile reminder that businesses, regardless of industry, are under attack by cyber criminals. Caesar’s Entertainment reported to regulators that on September 7, 2023 they were victims of a cyberattack. This resulted in down systems and a leak of sensitive data of their guests, which included driver’s licenses and social security numbers.

The attack was attributed to the threat actor group Scattered Spider. Scattered Spider is well known for using social engineering techniques. Once they breach the password, often by contacting a helpdesk and using social engineering, they start using the threat actor technique of “MFA Notification Fatigue” to gain unauthorized access to systems.

MFA Notification Fatigue Attacks, or MFA Spamming, involves a threat actor bombarding an account owner incessantly with MFA push notifications until the target slips up or is simply worn down psychologically from numerous notifications and approves the login request. MFA Fatigue is key to their ability to gain unauthorized access. In Caesar Entertainment’s case, the result was a devastating ransomware attack.

Research indicates MFA Notification Fatigue Attacks have remained steady since 2021.

In 2023, Microsoft reported over 6,000 daily MFA attacks on customer identities. In 2024, threat actors targeted Apple users with MFA fatigue, bombarding them with notifications and scam calls posing as Apple support.  Allowing the scammer to bypass MFA.

Regardless of industry, organizations can protect themselves from MFA Notification Fatigue in a few ways. One example is Microsoft M365’s built-in features that can reduce the risk of MFA Notification Fatigue.

Enable Microsoft’s M365’s Number-Matching

Without number matching, users can fall victim to MFA Notification Fatigue. Here is how this type of push notification looks:

Multifactor Authentication prompts without number matching:

• The user enters their username and password to authenticate.
• The identity platform sends a signal to the app on the user’s phone, which generates a notification.
• The user opens and accepts the prompt to approve the request.

Contrast this to number matching:

When number matching is in place, users cannot accept the MFA prompt without entering the number from the logon screen. Since the user cannot accept the prompt without knowing the number, this makes spamming by push notification ineffective and lowers the risk of falling victim to MFA Notification Fatigue.

Implement Conditional Access

Rules can be set up to block access if certain conditions apply. This can include identifying countries or locations which are blocked from signing in. Risky sign-ins can also be evaluated and detected. Microsoft Entra ID P2 licensing offers the most protection in this area.

Train Employees

Employee awareness is the first line of defense. MFA Notification Fatigue can be included as part of regular cybersecurity training. Employees must be trained in identifying unknown MFA Notification Fatigue attempts. They should never accept a push notification that they didn’t initiate. An unknown request can be the first indication a hacker has breached a password. Users must contact their security teams immediately so these events can be investigated.

Users should also be trained to recognize social engineering…and never share the code!

Optimize MFA Configuration

MFA can be optimized to utilize additional context. This can help users better identify a legitimate MFA request versus one they didn’t initiate. In the case of M365, the Microsoft authenticator can be configured to display the location where a sign-in request was made.

Requiring MFA for all users is also a step to protect against MFA Notification Fatigue attacks.

HOW TO MITIGATE MFA NOTIFICATION FATIGUE AND PROTECT AGAINST INCESSANT ATTACKS

• Enable Additional Context
• Adopt Risk-based Authentication
• Implement the FID02 Authentication
• Disable Push Notifications as a verification method
• Prevent good users from accidentally approving sign-in
• Help users make good decisions by providing them with more context
• Enforce a policy to escalate multiple unsolicited MFA challenges
• If your healthcare organization is still migrating to the Microsoft Authenticator app, automatically change the passwords of all at-risk users

A powerful defense against these attacks is FIDO2. FIDO2 is an open industry standard that enables secure passwordless, or multi-factor authentication using cryptography.

A hardware security key (like those from various manufacturers) is a physical device that uses the FIDO2 standard. A popular brand is YubiKey:

FIDO2 prevents MFA bombing attacks by removing push notifications and requiring physical interaction with a hardware device by the user for authentication.

MFA Notification Fatigue attacks can be a serious threat. However, with the right training, awareness, and MFA configurations, users can be protected. If you are a current Med Tech Solutions client, contact your Account Manager for assistance. We encourage others to reach out to Med Tech Solutions to learn how we can help.

Contact Us!