What is MFA Fatigue Attack?

Hackers are more frequently using social engineering attacks to gain access to corporate credentials and large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue. When breaching corporate networks, hackers commonly use stolen employee login credentials to access VPNs and the internal network.

When an organization’s multi-factor authentication is configured to use ‘push’ notification, the employee sees a prompt on their mobile device when employee tries to login in with their credentials. These MFA push notifications ask the user to verify the login attempt and will show where the login is being attempted. An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account’s owner’s mobile device. The goal is to keep this up, day and night, to break down the target’s cybersecurity posture and inflict a sense of “fatigue” regarding these MFA prompts. In many cases, the threat actors will push out repeated MFA notifications and then contact the target through email, messaging platforms, or over the phone, pretending to be IT support to convince the user to accept the MFA prompt.

Ultimately, the targets get so overwhelmed that day accidentally click on the ‘Approve’ button or simply accept the MFA request to stop the deluge of notification they were receiving on the9r phone. This type of social engineer technique has proven to be very successful by the Lapsus$ and Yanluowang threat actors when breaching large and well-known organizations, such as Microsoft, Cisco, and now Uber.