Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
Adversaries in possession of credentials to Valid Accounts may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. If adversaries lack credentials to victim accounts, they may also abuse automatic push notification generation when this option is configured for self-service password reset (SSPR).[1]
In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to "MFA fatigue."[2][3][4]
| ID | Name | Description |
|---|---|---|
| G0016 | APT29 |
APT29 has used repeated MFA requests to gain access to victim accounts.[4][5] |
| C0027 | C0027 |
During C0027, Scattered Spider attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.[6] |
| G1004 | LAPSUS$ |
LAPSUS$ has spammed target users with MFA prompts in the hope that the legitimate user will grant necessary approval.[7] |
| G1015 | Scattered Spider |
Scattered Spider has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets.[8] |
| ID | Mitigation | Description |
|---|---|---|
| M1036 | Account Use Policies |
Enable account restrictions to prevent login attempts, and the subsequent 2FA/MFA service requests, from being initiated from suspicious locations or when the source of the login attempts do not match the location of the 2FA/MFA smart device. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[9] |
| M1032 | Multi-factor Authentication |
Implement more secure 2FA/MFA mechanisms in replacement of simple push or one-click 2FA/MFA options. For example, having users enter a one-time code provided by the login screen into the 2FA/MFA application or utilizing other out-of-band 2FA/MFA mechanisms (such as rotating code-based hardware tokens providing rotating codes that need an accompanying user pin) may be more secure. Furthermore, change default configurations and implement limits upon the maximum number of 2FA/MFA request prompts that can be sent to users in period of time.[3] |
| M1017 | User Training |
Train users to only accept 2FA/MFA requests from login attempts they initiated, to review source location of the login attempt prompting the 2FA/MFA requests, and to report suspicious/unsolicited prompts. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Monitor application logs for suspicious events including repeated MFA failures that may indicate user's primary credentials have been compromised. |
| DS0028 | Logon Session | Logon Session Creation |
Monitor 2FA/MFA application logs for suspicious events such as rapid login attempts with valid credentials. |
| Logon Session Metadata |
Monitor 2FA/MFA application logs for suspicious events such as unusual login attempt source location, mismatch in location of login attempt and smart device approving 2FA/MFA request prompts. |
||
| DS0002 | User Account | User Account Authentication |
Monitor user account logs for suspicious events: unusual login attempt source location, mismatch in location of login attempt and smart device receiving 2FA/MFA request prompts, and high volume of repeated login attempts, all of which may indicate user's primary credentials have been compromised minus 2FA/MFA mechanism. Analytic 1 - Anomalous IP addresses, unmanaged devices, unusual User Agents indicating automation tools or scripts, high failure rates
|