MFA Fatigue – Attackers Count On You to Tire Out and Give In.

Multifactor Authentication (MFA) is an excellent way to protect your accounts. It is a second form of protection beyond your account password, causing you to verify your identity before your account will log in. You can learn more about ‘What is MFA?’ in a previous PC Corp blog.

While the various MFA methods do provide extra protection, attackers continuously look for new ways to compromise security-enhancing practices. With MFA Fatigue, attackers who already have your account username and password, attempt to bypass your added MFA account protection by sending repeated account approval push notifications to your phone. These notifications overwhelm your phone in hopes that you approve one of them because you,

1. are distracted and see it as a legitimate account notification,
2. have had enough of the notifications and want to silence them
3. misinterpret them as an account bug, or
4. get confused with another legitimate account authentication request.

This technique to bypass MFA protections was recently seen targeting Microsoft Office365 users.

There is an excellent video of an MFA Fatigue attack demonstration in the GoSecure article here: https://www.gosecure.net/blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/

There are ways to mitigate against attacks of this nature noted in the above article link, such as:

• changing the default limits of your account MFA service to allow a maximum number of push notifications
• switch to a phone sign-in verification method

Ultimately, you are the last defense against attacks on your accounts. It is your awareness of security threats and adherence to safe cyber practices that will help to protect your accounts and data.