Active Multi-Factor Authentication Attack Campaign Targeting Microsoft Office 365 Users
Threat Level Description
Threat Level: Medium – An attack is a strong possibility. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.
We have observed that an active Multi-Factor Authentication Fatigue campaign, compromising Microsoft Office 365 users, has been identified.
An attacker, by leveraging this technique, could access sensitive information found within the email in the context of the targeted user(s) and further plan more sophisticated attacks.
MFA can use a diverse set of mediums to authenticate the user, such as SMS messages or phone calls where the user authenticates their identity via a pre-configured phone number. Also, MFA can use One Time Password (OTP) or push notifications from an app.
An “MFA Fatigue” attack refers to overloading a victim’s device by “pushing” notifications or prompts via MFA (Multi-Factor Authentication) applications. This method fatigues the users (overwhelmed by volume). Thus, they start setting security best practices aside and become careless until they approve the login attempt, putting their organization and their accounts in danger of compromise.
To initiate this attack, a malicious actor must have the user’s credentials which can be obtained via brute force attacks, password reuse, or spraying. After obtaining the credentials the attacker performs the push notification spamming repeatedly, until the user approves the login attempt and lets the attacker gain access to the account. This usually happens because the user is distracted or overwhelmed by the notifications and/or because the user misinterpret notification spamming as a bug or confuse it with other legitimate authentication requests.
This attack is particularly effective because it targets the human factor of MFA. Many MFA users are not familiar with this type of attack and would not understand that they are approving a fraudulent notification.
IthacaLabs recommends the following steps to detect multiple push notifications and therefore an MFA Fatigue attack in Microsoft Office 365.
1. Visit the Azure Active Directory administration center
2. Go to Monitoring > Sign-in Logs
3. Filter sign-in Status by Failure to obtain a list of MFA pushes that were denied
4. Investigate each activity here individually via Authentication Details. Multiple events will be marked as Mobile app notification under Authentication Method
5. Push notifications should be false under the Succeed column and MFA denied; user declined the authentication under Result detail
Microsoft 365 administrators can choose a variety of ways to fight MFA Fatigue.
• Configure service limits (the default limits) of the Multi-Factor Authentication service (limits, both default and maximum, can be found in Azure Resource Manager documentation).
• Use Microsoft Authenticator’s phone sign-in verification method where a “unique two-digit number is generated and must be confirmed on both sides.”
• Disable Push Notifications completely as a verification method by:
2. Visiting Azure Active Directory administration center
3. Selecting Per-User MFA
4. Unselect “Notification through mobile app” in Multi-factor Authentication > Service Settings > verification options
5. Clicking save when this is configured