Multi-factor authentication (or MFA) is a great way to protect your Microsoft 365 accounts from malicious people trying to access them. It’s a secondary form of protection, on top of your normal password, that creates a second step in the login process in order to verify the user’s identity.
Although the intention behind this 2-tier authentication method is to protect us, attackers have started looking for ways to compromise it. And unfortunately MFA does not always prevent cyber attacks: there are several MFA fatigue attacks that particularly target Microsoft 365 users.
But what is MFA fatigue, and how can you avoid being its next victim?
What Is MFA fatigue?
The term MFA fatigue refers to an overload of notifications or invitations through applications configured with MFA. During the day, a user can receive several notices, from different platforms, in order to make connections or approve different actions related to their various accounts.
In short, a hacker will first find your password and, finding that your account is protected by an MFA, send you a burst of authentication request notices in the hope that it tires you to the point that you blindly accept a connection request. IT professionals have observed a significant increase in the number of attacks performed using this technique. Highly motivated and known hackers are actively using this type of method to break into Microsoft 365 accounts and compromise entire organizations.
What Happens If Hackers Gain Access To My Microsoft 365 Account?
Hackers using this attack technique rely almost entirely on the human factor, and human error. By quickly sending someone several MFA notices, they hope that the user will accept the authentication and thus give hackers access to their account. This usually happens because the user is distracted or overwhelmed by the notifications, and in some cases it can be misinterpreted as a bug, or confused with other legitimate authentication requests.
This attack is particularly effective not because
of the technology involved, but because
it targets the human factor of MFA.
Many MFA users are unfamiliar with this type of attack and would not understand that they are approving a fraudulent notification. Others just want it to go away and are not aware of what they are doing, since they approve similar notifications all the time. In this context, they cannot see through the notification overload and identify the threat.
How To Detect Multiple Push Notification Attempts In Microsoft 365
This type of attack can be detected directly from the Azure portal by inspecting connection logs. We strongly recommend that IT professionals take the following steps:
- Sign into your Azure Active Directory admin centre
- Then click on the Azure Active Directory heading
- In the Monitoring group, click Connection Logs
- Here you will find the connection logs, where information about user connections and resources is recorded
- Filter the connection status by Failed Status to get a list of denied MFA push notifications
- Start investigating each activity individually by accessing authentication details
- Several events should be seen as Mobile App Notification in the Authentication Method column
- Push notification spam messages should be false in the Operation Success column
How To mitigate This Type Of Attack
There are many ways to mitigate this type of attack. Here we will highlight some, so that Microsoft 365 administrators can choose what suits their needs.
Configuring Service Limits
An effective way to protect your Microsoft 365 accounts against this type of attack is to configure the default MFA services limits. These limits, default and maximum, can be found in the Azure Resource Manager documentation.
Connection By Phone
A user can help prevent inadvertent access to their account by using Microsoft Authenticator’s phone login verification method.
In this scenario, a unique two-digit number is generated and must be confirmed on both sides. It is very difficult for an attacker to compromise this, because they are shown a number that must then be correctly entered in your phone (which the attacker does not have access to). Only the attacker will know the correct input number, and to approve access the user has to select this input number from three options – which they cannot do. In this way, the possibility of approval of access is significantly deceased.
In short
If you need support to secure your Microsoft 365 environment, do not hesitate to contact our cybersecurity specialists to support you.
