Attackers Are Compromising Office 365 Users With MFA Fatigue

Photograph of Office 365 Apps on Screen

Attackers are compromising Microsoft Office 365 users with crafty “MFA Fatigue” attacks, otherwise known as Push Notification Spamming, says a February 14th, 2022, blog post by GoSecure.

Recent investigations have shown a significant increase in the number of attacks that leverage Push Notification Spamming, which ultimately penetrate Office 365 accounts and even compromise entire organizations.

As corporations like Microsoft move away from SMS and voice-based authentication, analysts say the adoption of app-based authentication has opened the door for cybercriminals to benefit from MFA Fatigue.

What is MFA Fatigue?

“MFA Fatigue” is when an attacker overloads a victim’s device by “pushing” notifications or prompts via MFA (Multi-Factor Authentication) applications. This method fatigues the user until they approve the login attempt, after which a hacker gains control of the account.

To do this, an attacker must initially have the user’s credentials, which can be obtained via brute force attacks, password reuse, or spraying. An attacker would first launch an “MFA auto-retry script” and try to sign in using the victim’s credentials. Then, the attacker will click on “I can’t use my Microsoft Authenticator app right now” in an app that notifies the victim to approve sign-in. The notifications are sent repeatedly until a user eventually gives in and approves.

“Many MFA users are not familiar with this type of attack and would not understand they are approving a fraudulent notification,” said GoSecure.

GoSecure has published a video demonstration of this attack vector on their YouTube channel.

High-profile Russian threat actors use this method

Multiple clusters of “Russian intrusion activity” targeting governments and businesses around the world are using this method, according to Mandiant security researchers.

How to Detect MFA Fatigue in Microsoft 365

Security researchers recommend that IT professionals take the following steps to detect multiple push notifications;

  1. Visit the Azure Active Directory administration center.
  2. Go to “Monitoring,” then to “Sign-in Logs.”
  3. Filter sign-in Status by “Failure” to obtain a list of MFA pushes that were denied.
  4. Investigate each activity here individually via “Authentication Details.” Multiple events will be marked as “Mobile app notification” under “Authentication Method.”
  5. Push notifications should be false under the “Succeed” column and MFA denied; user declined the authentication under “Result” detail.

More detailed information can be found in GoSecure’s blog post.

How to Resolve Push Notification Spamming

Microsoft 365 administrators can choose a variety of ways to fight MFA Fatigue. One way is to configure service limits (the default limits) of the Multi-Factor Authentication service, which can be found here.

Another way is to use Microsoft Authenticator’s phone sign-in verification method where a “unique two-digit number is generated and must be confirmed on both sides.” This makes it very difficult for an attacker to compromise anything.

Finally, an administrator can disable Push Notifications completely as a verification method by following these steps:

  1. Visit the Azure Active Directory administration center.
  2. Select “Per-User MFA.”
  3. Select notification through mobile app in Multi-factor Authentication > Service Settings > verification options.
  4. Click “Save” when this is configured.

Microsoft Office 365 Security Problems

Microsoft Office 365, used by millions of companies and over 50 million users around the world, is well-known in IT security circles for its security problems, vulnerabilities, and stability issues.

Some of these problems include frequent phishing attacks and unsecured code leading to vulnerabilities.

MFA Fatigue is a New Area of Concern

“MFA Fatigue is a real concern with potential implications to compromise Microsoft Office 365 accounts, but there are many ways to protect ourselves from MFA Fatigue and the current rise in Push Notification Spamming attacks” said GoSecure.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.