MFA Prompt Bombing is an effective attack method used by attackers to gain access to a system protected by Multi-Factor Authentication (MFA). The attacker sends a large number of MFA approval requests to a user in order to overwhelm them with the requests. One wrong click and an attacker has access.
Regardless of the level of MFA Prompt Bombing harassment, the goal is for the user to accept the MFA request and grant access to accounts or provide a way to run malicious code on a targeted system. The security industry views MFA prompt bombing attacks as a form of social engineering. This well-known attack vector has only gained popularity among attackers in the last two years, and yet many users and security teams are still unaware of this attack technique.
MFA prompt bombing in action
One of the most well-known successful MFA Prompt Bombing attacks was carried out by the Lapsus$ hack group. Their actions highlighted the weaknesses of certain settings, including push notifications. In their recent successful attacks, the hacker group bombarded users with requests until victims eventually approved access. The group also took advantage of MFA vendors' ability to allow employees to receive a phone call to an authorized device for authentication and press a specific key as a second factor.
A statement posted by a Lapsus$ member on the group's Telegram chat channel illustrates the cybercriminals' brazen tactic: "There is no limit to the number of calls you can make. If you call the employee 100 times at 1am when they are trying to sleep, they will most likely accept. Once the agent answers the first call, you can access the MFA enrollment portal and enroll another device.”
Balance between usability and security
With the growing notoriety of MFA prompt bombing attacks, some organizations have decided to disable push notifications for authentication requests and instead enforce one-time passwords (OTP). These are intended to make it more difficult for attackers to access sensitive information and resources, but result in a poorer user experience since users have to provide additional login information, such as a numeric code sent via SMS.
While OTP may be a bit more secure than push notifications, it degrades the user experience. Businesses should be careful to find the right balance between usability and security.
What Enterprises Can Do Against MFA Prompt Bombing Attacks
Instead of switching to OTP, it's better to automatically deny MFA push notifications when a certain number of notifications is exceeded. Thus, in the event of an attack, an end user will only receive a few MFA notifications, while the security team will be alerted to the flood of MFA requests in the user's activity logs behind the scenes.
When it comes to finding the right level of security and ease of use for MFA protection, push notifications are still the recommended solution. However, they must be implemented with the right security measures.
Comprehensive identity protection
To ensure comprehensive identity protection, deploy an identity threat protection platform that is purpose-built for real-time prevention, detection, and response to identity-based attacks that misuse compromised credentials to gain access to targeted resources. Such an Identity Threat Protection solution prevents identity-based attacks through continuous monitoring, risk analysis, and real-time enforcement of Zero Trust access policies for every user, system, and environment on-premises and in the cloud. The technology ensures end-to-end MFA protection and continuous monitoring of all authentications on-premises and in the cloud.
To provide dedicated protection against MFA prompt bombing attacks, the technology enables adaptive blocking: After a certain number of rejected MFA requests within a short period of time, the user is no longer asked and the requests are automatically rejected.
Protect risk-based policies
Furthermore, risk-based policies can be created that detect and prevent abnormal MFA activity risks, such as when users receive an unusual number of requests in a short period of time. This allows administrators to ensure that unauthorized users are blocked from accessing company resources.
In addition, this solution enables the automatic identification of malicious activities and risks of all user authentication requests and provides detailed information on each denied MFA request. Administrators can monitor all access requests through daily reports or by forwarding syslog events to their SIEM.
Social engineering attacks such as MFA Prompt Bombing specifically attempt to exploit human weaknesses. Therefore, in addition to the technical security precautions, employees should always be given comprehensive information so that they are prepared for this type of attack. With the above measures, companies can strengthen their resilience against prompt bombing attacks and make it significantly more difficult for attackers to bypass MFA protection.
More at SilverFort.com
About Silverfort Silverfort is the provider of the first Unified Identity Protection Platform that consolidates IAM security controls in corporate networks and cloud environments in order to ward off identity-based attacks. Through the use of innovative agent-free and proxy-free technology, Silverfort integrates seamlessly into all IAM solutions, standardizes their risk analysis and security controls and extends their coverage to assets that previously could not be protected, such as self-developed and legacy applications, IT infrastructure , File systems, command-line tools, machine-to-machine access and more.