Definition
A multi-factor authentication (MFA) fatigue attack – also known as MFA Bombing or MFA Spamming – is a social engineering cyberattack strategy where attackers repeatedly push second-factor authentication requests to the target victim’s email, phone, or registered devices. The goal is to coerce the victim into confirming their identity via notification, thus authenticating the attackers attempt at entering their account or device. Source
Recent TA developments
MFA fatigue attacks [T1621] have been brought to light and gained visibility after the Cisco breach in August and Uber breach in September, all in 2022. While this type of attack requires the TA to already have access to the victim’s credentials, the actual part that involves bypassing the MFA, is considered simple given that a user might get tired of receiving familiar MFA alerts and just proceed and confirm one.
On the other hand, EvilProxy a Phishing-as-a-service platform that provides an almost identical Microsoft sign-in page even copying organization’s environment, is at rise and if a victim falls for the phishing email [T1566.002], only the URL could raise an alarm to a potential victim. EvilProxy acts as an adversary-in-the-middle (AiTM), luring for the authentication token of the user [T1550.001]. During the transaction, the sign-in logs don’t originate from the user’s browser but from wherever the EvilProxy phishing page is hosted.
The attack vector to rectify given the scenarios above, is the MFA. The M1032 mitigation suggests “Implement more secure 2FA/MFA mechanisms in replacement of simple push or one-click 2FA/MFA options” and here is where the recently announced Microsoft Authentication enhancements can be handy.
Microsoft Authenticator comes to the rescue
Microsoft announced the implementation of 3 new features: * Number matching for push notifications, where the user is required to provide a random one-time number to complete the authentication. * Application name that requests the authentication at the push notification and * The geographic location in push and passwordless notifications While the first feature is an extra step to avoid MFA fatigue attacks, the other two provide further indicators to the user that something might be wrong. Microsoft will be forcing number matching as means of MFA for all Microsoft users by February 27th, 2023.
How do I enable Microsoft Authenticator features?
Before you begin, you must make sure you have Microsoft Authenticator push notifications enabled for the users involved. Also, if you have Security Groups set up in your environment, you can make specific adjustments, rather than deploying all options to all tenant’s users. Log in to your Microsoft Azure portal and go to Security > Authentication methods and click at Microsoft Authenticator.
Make sure to click Enable and then click Configure. You will then be prompted to configure the three features mentioned above.
Choose Enabled for all, or whichever you would like to enable as depicted below. Here, you may also choose the Security Groups involved in each feature.
Don’t forget to click Save.
How the MFA now works?
Once you will try to sign in, for example in Azure Portal you will be provided with a two-digit number which has to be inserted at your mobile device at the relevant push notification window.
Now, this window will provide you with more information, the App that initiated the authentication request and the Location accompanied with a geolocated map.
Closing remarks
Should you feel secure now? Microsoft Azure offers more configurations to further explore fortification options, such as conditional access policies, named locations and more. However, human factor should be taken into consideration as well. As described in M1017, “Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.”. Having said that, in a modification like the one described in this blog, users should be aware before hand to avoid question congestion of whether the new push notifications are legitimate or not.
References & MITRE ATT&CK
- Set up the Microsoft Authenticator app as your verification method
- Enable number matching in the portal
- Enable additional context in the portal
Leave a Reply