Combating MFA Fatigue & MFA Bomb attacks
Multi-factor Authentication Fatigue (“MFA Fatigue”), is a relatively new attack method that hackers, such as the young kid who got into Uber’s systems mid September, are now employing. The hackers spam you with MFA approval requests until you hit Approve either by accident or out of frustration, thereby granting them access to your account.
It preys on the idea that people are becoming accustomed to many MFA approval prompts each day, and hopes to catch you being inattentive or simply making a mistake. And you only need one mistake to let the bad guys in.
Our recommendation
For all clients who run Microsoft 365, we recommend you:
- Abandon push/notify based and SMS-based multifactor methods immediately
- Adopt Microsoft’s number-entry system, which needs you to enter a code on the phone
- The inclusion of a map showing where the login is originating from, and the application requesting it, helps humans make better decisions.
By removing the methods prone to MFA fatigue attacks and SIM-jacking, your Microsoft 365 accounts will be better protected.
It’s not too hard to implement, your team will need a quick bit of re-educating, and will likely need to re-enroll their MFA before we block push & SMS methods.
We cover off MFA Fatigue and MFA Bombing of attack methods in our Cyber Security Awareness and Training workshops, designed to help your team make better decisions with their cyber security.
Getting it set up
Submit a job request to us and ask for “M365 MFA fatigue hardening” if you’d like to get it implemented or contact our friendly team for more info!