Coalition Incident Response, Inc. (CIR), a technical forensic and remediation firm and Coalition's affiliate, has observed an increase in multi-factor authentication (MFA) spamming attacks, also known as MFA fatigue or MFA bombing, leading to cyber insurance claims. MFA is a critical security control for many organizations, but it is susceptible to compromise via fatigue attacks, where threat actors overwhelm employees with nonstop authentication requests. As a result, users may accidentally accept a request or merely accept out of frustration from the high volume of alerts.

MFA spamming most often leads to business email compromise (BEC) cases. These BEC events can lead to the compromise or loss of various types of data and information, including intellectual property, critical business data, and personally identifiable information (PII). It can also lead to Funds Transfer Fraud (FTF) events where threat actors redirect and steal funds. 

Multi-factor Authentication

Employees use a username and password (or credentials) in a traditional single-factor authentication solution to access business resources such as email, banking, or other applications. However, usernames and passwords can be insecure, especially if reused or compromised via social engineering attacks like phishing. To increase security, MFA uses additional factors to verify access requests. These additional authentication factors are often categorized as follows: 

1. Something you have

2. Something you know

3. Something you are

With MFA, users often provide a digital token or code provided by a secondary device the user physically possesses, like a cell phone, to gain access to their account. In the event of credential compromise, this prevents threat actors from gaining access to business networks or systems. MFA push notifications can reduce friction on end users by allowing them to confirm their access requests via phone, SMS, or an authentication app. However, threat actors can also misuse them to fatigue victims into accepting an MFA prompt.

Case study — phishing leads to access via MFA spamming

One Coalition policyholder saw firsthand how a phishing attack could create an attractive opportunity for threat actors to launch follow-on MFA spamming attacks. In April 2023, an employee mistakenly input their Office 365 credentials into a phishing website. After gaining access to their username and password, the threat actor sent persistent MFA spamming attacks. In this case, the employee experienced automatic calls from Microsoft, which prompted them to press pound and confirm their access request. Eventually, the employee accepted the request, and the threat actor gained full access to their Office 365 account.

Once inside the employee’s mailbox, the threat actor redirected payments, causing an FTF event. The policyholder reached out to Coalition, and selected CIR via our panel providers list. CIR and our claims teams worked to remove the threat actor from the network and attempt to recover the lost funds.

MFA evolves to combat fatigue attacks

Once inside an email tenant, threat actors often change authentication methods, updating the phone number associated with any MFA solution to one they control. From here, they can ensure they retain access without having to overwhelm the user via another fatigue attempt. 

After the threat actor has solved persistent access to the account, they generally check the access level of the user they compromised, login to the mailbox, and start searching for specific keywords related to high-priority targets like payment, wire, credit card, direct deposit, 401(k), and LinkedIn. Then, they set up inbox rules to redirect emails related to these terms. From there, they can redirect payments as they see fit, perpetuating a follow-on FTF event. 

MFA spamming attacks have been steadily growing since September 2022. Uber notably suffered a high-profile breach during this time due to MFA fatigue. In response to this trend, Microsoft released number matching with MFA on May 10, 2023.

With Microsoft’s number matching, users responding to MFA push notifications will have to confirm their request and input a number that will appear on the device they’re logging in from. Essentially, users must be physically present at the device to complete the login process. Additionally, Microsoft has released additional context, which will provide context details surrounding the login request, including the Geolocation, IP address, and application.

What policyholders need to know

Thus far, CIR has primarily observed MFA spamming attacks targeting Office 365 users. Organizations should consider utilizing Microsoft's authentication app with number matching and 'additional context' to mitigate the risk. DUO and Okta also provide reasonable authentication solutions. 

Additional mitigations include reviewing authentication logs regularly. Microsoft Azure audit logs will contain information on risky sign-ins that can indicate a threat actor has successfully breached a network. Organizations with the resources should ideally download logs weekly, as they can roll over as soon as seven days, and review them regularly for suspicious activity. Managed detection and response (MDR) solutions can also be helpful with this.

MFA authentication via SMS is widely regarded as insecure due to the risk of SIM-swapping activities. However, SMS authentication is one of the only available simple MFA solutions that can successfully stop most instances of MFA fatigue. Users should be advised to check with their mobile carrier to see if they can lock their SIM to reduce the risk of SIM-swapping attacks. 

Stay in Control

Control 2.0 is our cyber risk management platform powered by Coalition's Active Risk approach that helps to detect, assess, and mitigate risks before they strike.

Included in Control 2.0 is our Marketplace, which offers discounts on security solutions for MFA and security awareness training, which can help turn employees into your first line of defense against threat actors.

Get in Control today.

Insurance products referenced herein are offered by Coalition Insurance Solutions, Inc. ("CIS"), a licensed insurance producer with its principal place of business in San Francisco, CA (Cal. license #0L76155), acting on behalf of a number of unaffiliated insurance companies. A list of our admitted carriers is available here. Complete license information for CIS is available here. Insurance products offered through CIS may not be available in all states. All insurance products are governed by the terms and conditions set forth in the applicable insurance policy. Please see a copy of your policy for the full terms and conditions. Any information on this communication does not in any way alter, supplement, or amend the terms and conditions of the applicable insurance policy and is intended only as a brief summary of such insurance products. Policy obligations are the sole responsibility of the issuing insurance carrier. The descriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.