866.680.3388

What is MFA Bombing and How You Can Fight It

Updated 11/06/2024

Cybersecurity

What is MFA Bombing and How You Can Fight It

In the evolving cybersecurity landscape, multi-factor authentication (MFA) has become a key defense, requiring users to verify their identity with more than just a password. Cybercriminals, however, are constantly adapting, and a tactic known as MFA Bombing (or MFA Fatigue) has emerged to exploit the very systems intended to protect us.

Here, we delve into MFA Bombing, how it works, and detailed, actionable steps that employees and businesses can take to defend against it.

What is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is a security practice requiring users to provide two or more forms of verification to access an account. MFA offers a critical layer of security, safeguarding against unauthorized access even if an attacker has stolen a user’s password. MFA methods range from one-time passcodes and authenticator apps to more advanced biometric scans and security keys.

MFA is a cornerstone of cybersecurity, especially for high-sensitivity environments, but as attackers develop new techniques, users and businesses must stay vigilant and informed on emerging threats—like MFA Bombing.

What is MFA Bombing?

MFA Bombing (also known as MFA Fatigue, Prompt Bombing, or Push Spamming) is a social engineering attack where cybercriminals repeatedly send MFA prompts to a user’s device, aiming to wear down the user until they approve one of the requests. This tactic exploits human error and fatigue, taking advantage of users who may approve the request just to stop the incessant notifications.

Attackers often initiate these MFA prompts after acquiring a user’s credentials through phishing or dark web marketplaces. The MFA prompts are then generated as they attempt to log in, hoping to trick the user into approving the access.

Why is MFA Bombing So Effective?

MFA Bombing is highly effective because it exploits a psychological vulnerability: fatigue. When users are bombarded with repeated prompts, they may approve one simply to stop the notifications, often mistaking it for a system glitch or assuming it’s harmless.

Real-World Example: The Lapsus$ hacking group notoriously used MFA Bombing to breach major corporations, including Uber and Microsoft. By flooding employees with requests, they pressured victims into approving unauthorized access.

How Does MFA Bombing Work?

For MFA Bombing to succeed, an attacker typically follows these steps:

  1. Acquire Login Credentials
    The attacker needs the victim’s username and password, often obtained through phishing, credential stuffing, or dark web purchases.
  2. Initiate Repeated MFA Prompts
    The attacker attempts to log in, generating MFA prompts that are sent to the user’s device. These prompts may appear every few seconds or minutes, overwhelming the user with notifications.
  3. Wear Down the User’s Patience
    The attacker relies on the user’s frustration or confusion. After dozens of prompts, the user may finally approve a request just to stop the interruptions.
  4. Gain Access
    Once the user approves the request, the attacker gains access to the account and can move further into the system or escalate privileges.

    Variations of MFA Bombing Techniques

    Cybercriminals use several variations of MFA Bombing, adapting their approach based on the target’s behavior. Here are some common tactics:

    1. High-Volume Prompting: Repeated MFA prompts every few seconds, overwhelming the user with notifications.
    2. Slow Drip Prompting: Sending prompts less frequently, sometimes once or twice a day, in the hope of catching the user off-guard.
    3. Social Engineering: Directly contacting the victim, often posing as IT support, and instructing them to approve the MFA request under the guise of “routine maintenance.”

    These methods exploit both human psychology and the limitations of traditional MFA systems, revealing a need for enhanced security awareness and protocols.

    How Employees Can Defend Against MFA Bombing

    Defending against MFA Bombing requires awareness and careful attention to every prompt. Here are practical steps users can take to safeguard their accounts: 

    1. Read MFA Prompt Details Carefully
      Most MFA notifications include details such as time, location, and device type. Before approving, always verify that these details align with your recent activity. If something looks off, deny the request and alert your IT department.
    2. Never Approve Unprompted MFA Requests
      If you receive an MFA prompt without attempting to log in, this is a red flag. Never approve such requests; instead, deny and report it. Many attackers rely on users approving random requests out of habit or impatience.
    3. Manually Log Out of Persistent Applications
      Certain applications, such as VPNs, may continuously generate MFA requests if they disconnect and try to reconnect. Logging out manually after each session can prevent unnecessary prompts and reduce confusion.
    4. Treat Repeated MFA Requests as Suspicious
      If you receive multiple prompts in quick succession, don’t dismiss it as a glitch. This could be an indication of an MFA Bombing attempt. Contact your IT team for guidance before approving anything.
    5. Stay Educated on Cybersecurity Best Practices
      Consistent education on cybersecurity threats and best practices is crucial. Familiarize yourself with common social engineering techniques and ask for assistance if unsure about any prompt or notification.

    Advanced Strategies for Organizations to Defend Against MFA Bombing

    While user education is essential, businesses must implement robust security measures to mitigate the risk of MFA Bombing. Here are some advanced strategies.

    Implement Risk-Based Authentication (RBA)
    RBA evaluates various factors—such as location, time, and device familiarity—during login attempts to assess risk. High-risk logins trigger additional authentication steps, making it harder for unauthorized users to gain access.
    Example of RBA in Action: If a login attempt is coming from an unfamiliar device or location, the system may require extra verification steps or even deny access outright.
    RBA can include criteria such as the following: 

    • Location: Assessing whether the login is coming from a known or expected region.
    • Device Familiarity: Recognizing trusted devices to distinguish unusual access.
    • Time of Day: Flagging logins occurring at odd hours for additional verification.
    • IP Address: Checking if the request originates from a known IP or an unexpected source.
    • Browser Information: Noting discrepancies in browser type or version that may suggest suspicious activity.
    • User ID and Password: Monitoring for failed attempts or variations in login trends.
    • Login Trends: Analyzing changes in user login habits that may signal a potential attack.

    These RBA criteria add layers of intelligence to the authentication process, making it more challenging for attackers to bypass MFA through repeated prompt attempts.

    Limit MFA Prompt Frequency and Attempt Thresholds
    Configure your MFA system to limit the number of attempts allowed within a given time frame. Once the threshold is exceeded, either block further attempts or require a manual reset by IT. This reduces the effectiveness of repeated MFA prompts.

    Upgrade to FIDO2 or Biometric Authentication
    FIDO2-compliant MFA solutions, such as security keys and biometrics, eliminate the need for push notifications that attackers can abuse. These methods require the user’s physical presence, providing a more secure and user-friendly experience.

    Use Number Matching Instead of Push Notifications
    Number matching requires users to input a code from the login screen on their primary device, rather than approving a push notification. This adds a layer of verification, ensuring that the user is actively involved in the login process.

    Enable Contextual Information in MFA Notifications
    Including details like IP address, device type, and location in MFA notifications helps users recognize suspicious activity. By providing more context, organizations empower users to make informed decisions.

    How to Detect an MFA Bombing Attempt

    Implementing detection protocols is essential for recognizing potential MFA Bombing. Here’s what organizations can monitor:

    1. Anomalous Login Attempts: High volumes of MFA prompts or failed login attempts from unusual locations or devices.
    2. Inconsistent Device and Location Data: Requests from new devices or locations outside typical access patterns.
    3. Repeated MFA Prompts Over Time: Even slow, sporadic prompts can indicate a potential attack. Any unusual activity should trigger alerts for further investigation.

      What to Do if You’ve Been a Victim of MFA Bombing

      If a user accidentally approves an unauthorized MFA request, taking immediate action can prevent further compromise. Here’s what to do:

      1. Report the Incident Immediately
        Inform your IT or security team of the unauthorized approval so they can investigate the breach and limit any potential damage.
      2. Reset Passwords and MFA Settings
        Reset all credentials for the affected account, including setting up new MFA methods if needed. This blocks the attacker from reusing access.
      3. Review Account Activity
        Check for any suspicious activity on the account, such as changes in settings, unusual file access, or unexpected logins from unfamiliar devices.
      4. Enable Alerts for Further Monitoring
        Set up alerts for unusual access attempts and actively monitor the account for any signs of continued unauthorized activity.

      Moving Forward: Protecting Your Business from MFA Bombing

      MFA is a fundamental security measure, but businesses must continuously adapt to counteract evolving cyber threats. MFA Bombing demonstrates that even advanced security methods are vulnerable if users are unaware of potential exploitation tactics.

      Safeguarding against MFA Bombing requires a comprehensive approach, from user education to advanced security technologies. By staying informed and proactive, businesses can reinforce their defenses and protect their most valuable assets from sophisticated attacks.

      For more guidance on securing your business with advanced MFA solutions or to learn about our tailored cybersecurity services, reach out to our Consilien team today. Protecting your business from emerging threats is our mission, and we’re here to help you stay secure.

      Referral Links:

      1. https://www.loginradius.com/blog/identity/mfa-prompt-bombing-businesses/
      2. https://www.pingidentity.com/en/resources/identity-fundamentals/authentication/risk-based-authentication.html
      3. https://www.wired.com/story/multifactor-authentication-prompt-bombing-on-the-rise/
      4. https://www.cisa.gov/publication/multi-factor-authentication-mfa