MFA Fatigue Attack: Meaning, Types, Examples, and More

This article investigates MFA fatigue attacks. We'll explain how they work, why they're effective, and who they typically target. We'll also provide real-life examples to help your team detect and prevent these threats. You'll leave with a clear understanding of MFA fatigue attacks and tips on how to shore up your cloud security to defend against them. 

What is an MFA Fatigue Attack?

An MFA fatigue attack—also known as MFA bombing or spamming—is a cyber attack that uses social engineering tactics to manipulate users. Through MFA fatigue, attackers exploit situational and psychological factors to get user authentication and gain unauthorized access to a protected system.

An attack involves a user getting bombarded by repeated multi-factor authentication requests to access a secure system or account. As the prompts asking for additional information (such as biometric data or a verification code) begin to pile up, users can get annoyed, frustrated, or impatient. 

During an attack, some users can also get worried and overwhelmed by the sudden surge of activity. In some cases, a panicked user may instinctively provide authentication data to log in and 'check' to see if everything is okay with their account. Unsuspecting users may even think the system is experiencing a glitch and authenticate just to get it to stop. 

Repeated notifications will test users' patience and vigilance, making them agitated and prompting a few to act in frustration. This is called MFA fatigue. The attack is more psychological than technological, leading some users to unknowingly grant unauthorized access to protected data. 

💡Make it easy: Prevent users from succumbing to MFA fatigue and keep your network secure with StrongDM's Zero Trust Privileged Access Management (PAM).

Types of MFA Fatigue Attacks

Cybercriminals will use every psychological trick to access sensitive data, including tactics to wear down vigilant users. Let's first break down how all MFA fatigue attacks begin:

Step one: getting hold of valid credentials

The first step to any MFA fatigue attack is accessing login credentials for a protected system or account. These usually include usernames, passwords, and PINs. Without this information, no one can trigger a multi-factor authentication prompt, which is the primary weapon in the attack.

Some methods bad actors use to get your details include:

• Hacking: Password cracking and brute force attacks break in and steal credentials from files and computers with weak security.
• Malware: Malicious software such as viruses, keystroke loggers, trojans, and spyware can make private data vulnerable.
• Phishing: Emails and messages from fraudulent accounts (pretending to be from a trusted source) can solicit sensitive information by faking authority and establishing trust.

Last year saw a 73% increase in data breaches, breaking a record set in 2021.

With your credentials, an MFA fatigue attack moves into its second phase, typically taking one of three forms:

The blitz: pestering you with endless notifications

This type of attack is the most common, and how the cyber tactic got its name. 

Depending on how you've set up your security, MFA requests can come in via email, SMS, or smartphone applications that will confirm your identity through security codes or biometric data.

Since authentication is a routine part of online security, being asked a second or third time might not immediately set off any red flags. If you ignore the first few, users will continue to be pinged with MFA requests, which gets annoying pretty quickly.

A string of requests will eventually frustrate anyone, especially those working remotely or from co-working spaces. In such cases, a user might accidentally grant access after being flooded with requests, or they could do it in a moment of exasperation to try and get the notifications to stop.

The emergency: fabricating an urgent threat 

Another MFA fatigue attack combines spamming and phishing tactics to invent a scenario where users have a limited time to prevent serious consequences. 

Users might receive three or four MFA requests followed by spam emails warning them of a data breach and the need for urgent action—usually logging in (after providing MFA) and changing passwords. 

These MFA fatigue attacks build tension by creating a narrative rather than trying to overwhelm and stress users by inundating them. This tactic exploits the psychological burden of responsibility, putting executives, IT administrators, security personnel, and employees with high privileges at higher risk of being targeted. 

The smooth swindle: posing as a trusted source

The above tactic also works when the impersonating party pretends to be an authority, such as a bank, government, or reputable company. They could also pose as an old friend, a friend of a friend, or a trusted source. 

Instead of sounding alarm bells, these types of MFA fatigue attacks lull users into a sense of security through a methodical and calculated combination of spam and MFA pings. Messages can come through SMS, Facebook, Instagram, or WhatsApp, and they usually target users who work in hierarchical structures. 

Nearly all cyber-attacks are possible because of human error.

Examples of MFA Fatigue Attacks

Here are three examples from the last several years where hackers launched successful, coordinated attacks against reputable companies. 

1. Cisco Systems

In May 2022, Yanluowang ransomware group breached Cisco's internal systems. The attack aimed to blackmail the company by threatening to leak stolen files online. Hackers used MFA fatigue and sophisticated voice phishing to gain access and steal non-sensitive data, which they later published on the dark web. 

In response, Cisco updated its security measures and shared technical details of the breach to help other security teams do the same.

2. Uber

In the fall of 2022, global ride-sharing giant Uber confirmed a cybersecurity breach. Quickly, speculation grew that it was at the hands of an 18-year-old who bragged about the hack to employees via Uber's internal Slack.

The attack methods included:

• Phishing
• Impersonating Uber IT support via WhatsApp
• Sending repeated MFA login notifications

Reports of the hack showed it accessed Uber's critical systems, including security software, AWS console, Windows domain, VMware virtual machines, and Google Workspace admin dashboard. The purported hacker even shared screenshots claiming deep access to the company's internal systems and sensitive data.

3. Microsoft

In 2022, the hacker group Lapsus$ released a cache of stolen code from Microsoft, confirming their suspected hack of the tech conglomerate the previous year. Microsoft has acknowledged the breach, confirming that MFA fatigue tactics were part of the attack. 

Entry into the system allowed the group access to employee and high-privilege accounts. They also breached source code repositories, including the Azure DevOps server, where the company develops projects like Bing, Cortana, and Bing Maps.

A study by Microsoft showed that 1% of users will accept an approval request on the first try, instantly making a network vulnerable.

These attacks highlight vulnerabilities in MFA and the need for zero-trust security models. These breaches and other high-profile hacks emphasize the need for robust security measures.

Small companies should heed the warning by learning from these examples, which serve as reminders that size and resources can't always protect you.

How to Detect an MFA Fatigue Attack

Educating yourself and your staff will improve your chances of detecting an MFA fatigue attack. Here are some things to look for:

A user has multiple failed login attempts from different locations or IPs.

Failing to log in repeatedly is a little suspicious but not entirely uncommon. However, if you notice it happening from different geographic locations or IP addresses, it may indicate an attacker is using automated tools to generate login attempts.

The system has sent an unusually high number of MFA requests to one or multiple users.

If you notice a sudden spike in MFA requests, that's a major red flag warranting immediate investigation. If your monitoring systems notice a spike outside working hours, that could mean the MFA fatigue attack is ongoing. 

You've received numerous user reports of annoying and continuous MFA prompts.

Since these attacks target and exploit users, they're the first to sense something is off. Encourage employees to report any unexpected or persistent MFA prompts immediately. If you see a flood or sudden surge of reports inconsistent with the past, it's cause to investigate. 

You've flagged a series of irregular access patterns or user activity. 

If the logs recording user activity and access patterns show any irregularities—for instance, logins from unusual locations, devices, or at odd hours—monitoring systems can flag it for investigation. You can then implement behavioral analytics to identify if it's an MFA fatigue attack.

Deploying enhanced monitoring and alerting systems

Advanced security systems, like Zero Trust Access Management platforms, leverage the latest tools to detect anomalies in authentication patterns. They also provide comprehensive, round-the-clock network security to identify potential MFA fatigue attacks and initiate protective measures before a breach occurs.

💡Make it easy: Robust security protocols and system-wide monitoring are designed to detect breaches and grant access to sensitive data only to authorized users. Learn more.

Four Ways to Prevent MFA Fatigue Attacks

Use these four prevention methods to stop unauthorized system access, data breaches, and theft resulting from an MFA fatigue attack:

1. Tighten MFA parameters: This can include the window for responses and the number of allowed attempts. Single sign-on (SSO) and the principle of least privilege are other options. You can also limit the location of where users can access a system and include biometric requirements for login.

2. Increase user education: From the C-suite to the front lines, everyone should receive updated training on recognizing and responding to social engineering tactics like MFA fatigue attacks.

3. Strengthen password management: Zero trust architecture and security features like FIDO2 authentication will strengthen your passwords, a fragile first line of defense in network security.

Over 80% of data breaches begin with weak passwords that were easy to crack or obtain.

4. Give your systems an upgrade: Whether it's reducing vulnerabilities through updates and patches or integrating PAM solutions into your current network, security measures and systems must evolve to keep up with the changing landscape of cyber threats. 

Simplifying MFA Fatigue Attack Prevention with StrongDM

We can't overstate the importance of multi-factor authentication to privacy protection. However, when bad actors are finding ways to exploit security measures, IT teams have to find ways to stay vigilant and defend against attacks.

StrongDM's Zero Trust PAM solution simplifies security by combining authorization, authentication, networking, and monitoring into a single platform. With protocols specific to MFA fatigue attacks, you can secure your network, monitor access controls, and protect users from social engineering threats.

Sign up for a free trial to see how StrongDM can make MFA fatigue attacks a thing of the past.

MFA Fatigue Attack: Frequently Asked Questions

What is the goal of an MFA fatigue attack?

An MFA fatigue attack aims to bypass security and gain access to a user's network or data. Attackers do this by bombarding users with repeated multi-factor authentication requests. This can confuse, worry, or annoy users, eventually wearing them down and tricking them into unwittingly granting unauthorized access to protected information.

What is the best course of action to defend against MFA fatigue?

Defending against MFA fatigue requires vigilant monitoring of all the access protocols across a secure network. Switching to adaptive authentication methods, using hardware tokens, enforcing least privilege, and implementing SSO can help. Educate users about emerging security threats and deploy centralized PAM platforms to streamline management.

What types of attacks does multi-factor authentication prevent?

Multi-factor authentication prevents several types of attacks and cybersecurity breaches. These include phishing, password cracking, man-in-the-middle attacks, credential stuffing, and social engineering. However, MFA alone may not provide enough security as hackers continue to find creative and sophisticated ways to launch cyber attacks.

How do hackers beat MFA?

The best way for hackers to beat MFA is to trick the user into doing it. Social engineering tactics such as inducing MFA fatigue are common, but there are many others. By convincing users that an MFA request is valid, hackers can bypass the strictest measures, such as biometric data, to access sensitive material.