gosecure.ai
Open in
urlscan Pro
141.193.213.10
Public Scan
Submitted URL: https://www.gosecure.net/blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/
Effective URL: https://gosecure.ai/blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/
Submission: On May 31 via api from US — Scanned from DE
Effective URL: https://gosecure.ai/blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/
Submission: On May 31 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
GET https://gosecure.ai/
<form role="search" method="get" class="et_pb_menu__search-form" action="https://gosecure.ai/">
<input type="search" class="et_pb_menu__search-input" placeholder="Search …" name="s" title="Search for:">
</form>GET https://gosecure.ai/
<form role="search" method="get" id="searchform" class="searchform" action="https://gosecure.ai/">
<div>
<label class="screen-reader-text" for="s">Search for:</label>
<input type="text" value="" name="s" id="s">
<input type="submit" id="searchsubmit" value="Search">
</div>
</form>GET https://gosecure.ai
<form action="https://gosecure.ai" method="get"><label class="screen-reader-text" for="cat">Categories</label><select name="cat" id="cat" class="postform">
<option value="-1">Select Category</option>
<option class="level-0" value="54">.Net</option>
<option class="level-0" value="90">AAP</option>
<option class="level-0" value="107">Active Directory</option>
<option class="level-0" value="328">Advisory Services</option>
<option class="level-0" value="13">Alt Sec Con</option>
<option class="level-0" value="100">Android</option>
<option class="level-0" value="72">AppSec</option>
<option class="level-0" value="441">Artificial Intelligence</option>
<option class="level-0" value="15">ASP.net</option>
<option class="level-0" value="327">Assessment</option>
<option class="level-0" value="34">Auditor</option>
<option class="level-0" value="42">Automation</option>
<option class="level-0" value="33">Backdoor</option>
<option class="level-0" value="297">Bazarloader</option>
<option class="level-0" value="110">Binary Analysis</option>
<option class="level-0" value="98">Bitcoin</option>
<option class="level-0" value="55">BlackHat</option>
<option class="level-0" value="350">BluStealer</option>
<option class="level-0" value="47">Botnet</option>
<option class="level-0" value="330">Breach Readiness</option>
<option class="level-0" value="301">Brute Force</option>
<option class="level-0" value="35">Burp</option>
<option class="level-0" value="49">C#</option>
<option class="level-0" value="61">Checkpoint</option>
<option class="level-0" value="58">Christmas</option>
<option class="level-0" value="384">Chrome</option>
<option class="level-0" value="383">CI/CD</option>
<option class="level-0" value="60">Cisco</option>
<option class="level-0" value="94">Code Review</option>
<option class="level-0" value="258">Compliance</option>
<option class="level-0" value="11">Conference</option>
<option class="level-0" value="16">Confoo</option>
<option class="level-0" value="259">COVID-19</option>
<option class="level-0" value="372">Credential Stuffing</option>
<option class="level-0" value="48">Criminal Market</option>
<option class="level-0" value="431">Criminology</option>
<option class="level-0" value="21">Cryptography</option>
<option class="level-0" value="36">CSP</option>
<option class="level-0" value="99">Cybercrime</option>
<option class="level-0" value="108">Cybersecurity</option>
<option class="level-0" value="317">Cybersecurity Assessment</option>
<option class="level-0" value="320">Cybersecurity Audits</option>
<option class="level-0" value="319">Cybersecurity Risk</option>
<option class="level-0" value="321">Cybersecurity Roadmaps</option>
<option class="level-0" value="101">Cybersecurity Statistics</option>
<option class="level-0" value="318">Cybersecurity Strategy</option>
<option class="level-0" value="92">Darknet</option>
<option class="level-0" value="66">Deserialization</option>
<option class="level-0" value="65">Detection</option>
<option class="level-0" value="85">Development</option>
<option class="level-0" value="43">Devops</option>
<option class="level-0" value="64">DNS</option>
<option class="level-0" value="111">Dynamic Analysis</option>
<option class="level-0" value="88">EDR</option>
<option class="level-0" value="119">Email</option>
<option class="level-0" value="366">Email Security</option>
<option class="level-0" value="382">Engineering</option>
<option class="level-0" value="30">Enterprise</option>
<option class="level-0" value="91">ESI</option>
<option class="level-0" value="109">ESI Tags</option>
<option class="level-0" value="374">Ethical Hacking</option>
<option class="level-0" value="403">Events</option>
<option class="level-0" value="68">Exploit</option>
<option class="level-0" value="22">Exploitation</option>
<option class="level-0" value="116">Find-Sec-Bugs</option>
<option class="level-0" value="62">Firewall</option>
<option class="level-0" value="81">Fraud</option>
<option class="level-0" value="112">Fuzzing</option>
<option class="level-0" value="381">GoSecure Titan</option>
<option class="level-0" value="418">Hackers</option>
<option class="level-0" value="352">Hacktoberfest</option>
<option class="level-0" value="39">Header</option>
<option class="level-0" value="103">Honeypot</option>
<option class="level-0" value="40">HTTP</option>
<option class="level-0" value="348">IDR</option>
<option class="level-0" value="386">Incident Response</option>
<option class="level-0" value="76">Industry</option>
<option class="level-0" value="10">IoT</option>
<option class="level-0" value="45">Java</option>
<option class="level-0" value="69">Jboss</option>
<option class="level-0" value="70">Jenkins</option>
<option class="level-0" value="302">Jetpack</option>
<option class="level-0" value="87">Kotlin</option>
<option class="level-0" value="23">Lansweeper</option>
<option class="level-0" value="93">Leaks</option>
<option class="level-0" value="311">LinkedIn</option>
<option class="level-0" value="12">Linux</option>
<option class="level-0" value="368">Log4j</option>
<option class="level-0" value="369">Log4Shell</option>
<option class="level-0" value="63">Malboxes</option>
<option class="level-0" value="9">Malware</option>
<option class="level-0" value="298">Malware Research</option>
<option class="level-0" value="105">Man-In-The-Middle</option>
<option class="level-0" value="80">Manipulation</option>
<option class="level-0" value="349">MDR</option>
<option class="level-0" value="77">Media</option>
<option class="level-0" value="387">MFA</option>
<option class="level-0" value="57">Moose</option>
<option class="level-0" value="53">MSBuild</option>
<option class="level-0" value="89">MSSP</option>
<option class="level-0" value="14">NorthSec</option>
<option class="level-0" value="106">NTLM</option>
<option class="level-0" value="26">Opcache</option>
<option class="level-0" value="117">Open-Source</option>
<option class="level-0" value="78">Opinion</option>
<option class="level-0" value="31">Oracle</option>
<option class="level-0" value="315">OSINT</option>
<option class="level-0" value="118">OWASP</option>
<option class="level-0" value="24">Password</option>
<option class="level-0" value="260">PCI DSS</option>
<option class="level-0" value="113">PDF</option>
<option class="level-0" value="362">Penetration Testing</option>
<option class="level-0" value="83">Pentest</option>
<option class="level-0" value="32">PeopleSoft</option>
<option class="level-0" value="120">Phishing</option>
<option class="level-0" value="27">PHP</option>
<option class="level-0" value="28">PHP7</option>
<option class="level-0" value="41">Plugin</option>
<option class="level-0" value="264">Privacy</option>
<option class="level-0" value="84">Privilege-Escalation</option>
<option class="level-0" value="73">Process</option>
<option class="level-0" value="86">Proxy</option>
<option class="level-0" value="375">Purple Team</option>
<option class="level-0" value="115">PYRDP</option>
<option class="level-0" value="75">Ransomware</option>
<option class="level-0" value="95">RCE</option>
<option class="level-0" value="104">RDP</option>
<option class="level-0" value="17">RequestValidation</option>
<option class="level-0" value="46">Research</option>
<option class="level-0" value="50">Roslyn</option>
<option class="level-0" value="74">SDLC</option>
<option class="level-0" value="51">Security</option>
<option class="level-0" value="436">Security Advisory</option>
<option class="level-0" value="331">Security Framework</option>
<option class="level-0" value="329">Security Maturity</option>
<option class="level-0" value="287">Security Measures</option>
<option class="level-0" value="121">Sextortion</option>
<option class="level-0" value="79">Social Media</option>
<option class="level-0" value="96">SPEL</option>
<option class="level-0" value="97">Spring</option>
<option class="level-0" value="353">SQL</option>
<option class="level-0" value="44">Static Analysis</option>
<option class="level-0" value="102">Statistics Canada</option>
<option class="level-0" value="29">Threat</option>
<option class="level-0" value="114">Threat-Intelligence</option>
<option class="level-0" value="340">Titan Labs</option>
<option class="level-0" value="37">Tool</option>
<option class="level-0" value="1">Uncategorized</option>
<option class="level-0" value="56">Video</option>
<option class="level-0" value="52">Visual Studio</option>
<option class="level-0" value="59">VoIP</option>
<option class="level-0" value="71">Vulnerability</option>
<option class="level-0" value="354">WAF</option>
<option class="level-0" value="25">Web</option>
<option class="level-0" value="67">Weblogic</option>
<option class="level-0" value="82">Windows</option>
<option class="level-0" value="303">Wordpress</option>
<option class="level-0" value="361">WSUS</option>
<option class="level-0" value="18">XSS</option>
<option class="level-0" value="38">Zap</option>
</select>
</form>POST /blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/
<form method="post" enctype="multipart/form-data" id="gform_13" action="/blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/" data-formid="13" novalidate="">
<div class="gform-body gform_body">
<div id="gform_fields_13" class="gform_fields top_label form_sublabel_above description_below">
<div id="field_13_1" class="gfield gfield--type-email gfield--input-type-email field_sublabel_above gfield--no-description field_description_below hidden_label gfield_visibility_visible" data-js-reload="field_13_1"><label
class="gfield_label gform-field-label" for="input_13_1">Email</label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_13_1" type="email" value="" class="medium" aria-invalid="false">
</div>
</div>
<fieldset id="field_13_2" class="gfield gfield--type-consent gfield--type-choice gfield--input-type-consent gfield_contains_required field_sublabel_above gfield--no-description field_description_below gfield_visibility_visible"
data-js-reload="field_13_2">
<legend class="gfield_label gform-field-label gfield_label_before_complex">Consent<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_consent"><input name="input_2.1" id="input_13_2_1" type="checkbox" value="1" aria-required="true" aria-invalid="false"> <label
class="gform-field-label gform-field-label--type-inline gfield_consent_label" for="input_13_2_1">I consent to receive communications from GoSecure and I agree to the Privacy Notice.</label><input type="hidden" name="input_2.2"
value="I consent to receive communications from GoSecure and I agree to the Privacy Notice." class="gform_hidden"><input type="hidden" name="input_2.3" value="8" class="gform_hidden"></div>
</fieldset>
<div id="field_13_3" class="gfield gfield--type-honeypot gform_validation_container field_sublabel_above gfield--has-description field_description_below gfield_visibility_visible" data-js-reload="field_13_3"><label
class="gfield_label gform-field-label" for="input_13_3">Phone</label>
<div class="ginput_container"><input name="input_3" id="input_13_3" type="text" value="" autocomplete="new-password"></div>
<div class="gfield_description" id="gfield_description_13_3">This field is for validation purposes and should be left unchanged.</div>
</div>
</div>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_13" class="gform_button button" value="SUBMIT"
onclick="if(window["gf_submitting_13"]){return false;} if( !jQuery("#gform_13")[0].checkValidity || jQuery("#gform_13")[0].checkValidity()){window["gf_submitting_13"]=true;} "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_13"]){return false;} if( !jQuery("#gform_13")[0].checkValidity || jQuery("#gform_13")[0].checkValidity()){window["gf_submitting_13"]=true;} jQuery("#gform_13").trigger("submit",[true]); }">
<input type="hidden" class="gform_hidden" name="is_submit_13" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="13">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_13"
value="WyJ7XCIyLjFcIjpcIjFjM2E0ZmQzN2YxZjMwZGNiZDg4YzI1MDlmYWQzM2Q4XCIsXCIyLjJcIjpcIjgyYjMxODQ1ZmFhNmMxNTE3NzUxYmFiODM5NTYyYmRmXCIsXCIyLjNcIjpcImU3NDk5MDllZjlmMDE2MGNmNmVlNTZkZjQ5NDcwNWZjXCJ9IiwiZWQ3ZTI0M2FiMTFjMmNjZGQ3NGFkZTdlODc3ZWIzOGIiXQ==">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_13" id="gform_target_page_number_13" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_13" id="gform_source_page_number_13" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>Text Content
We value your privacy
This website and its third-party tools may process personal data. We do not sell
your personal information. We may share information with our partners, but you
have the option to opt out if you wish. To exercise this option, please click on
the 'Do Not Share My Personal Information' link.
Do Not Share My Personal Information
Opt-out Preferences
We use third-party cookies that help us analyze how you use this website, store
your preferences, and provide the content and advertisements that are relevant
to you. However, you can opt out of these cookies by checking "Do Not Share My
Personal Information" and clicking the "Save My Preferences" button. Once you
opt out, you can opt in again at any time by unchecking "Do Not Share My
Personal Information" and clicking the "Save My Preferences" button.
Do Not Share My Personal Information
Cancel Save My Preferences
GoSecure Titan® Managed Extended Detection & Response (MXDR)
GoSecure Titan® Managed Extended Detection & Response (MXDR) Foundation
GoSecure Titan® Vulnerability Management as a Service (VMaaS)
GoSecure Titan® Managed Security Information & Event Monitoring (SIEM)
GoSecure Titan® Managed Perimeter Defense (MPD)
GoSecure Titan® Inbox Detection and Response (IDR)
GoSecure Titan® Secure Email Gateway (SEG)
GoSecure Titan® Threat Modeler
GoSecure Titan® Identity
GoSecure Titan® Platform
GoSecure Professional Security Services
Incident Response Services
Security Maturity Assessment
Privacy Services
PCI DSS Services
Penetration Testing Services
Security Operations
GoSecure MXDR for Microsoft
Comprehensive visibility and response within your Microsoft security environment
LEARN MORE
×
GET A QUOTE
USE CASES
CYBER RISKS
Risk-Based Security Measures
SENSITIVE DATA SECURITY
Safeguard sensitive information
PRIVATE EQUITY FIRMS
Make informed decisions
CYBERSECURITY COMPLIANCE
Fulfill regulatory obligations
CYBER INSURANCE
A valuable risk management strategy
RANSOMWARE
Combat ransomware with innovative security
ZERO-DAY ATTACKS
Halt zero-day exploits with advanced protection
CONSOLIDATE, EVOLVE & THRIVE
Get ahead and win the race with the GoSecure Titan® Platform
24/7 MXDR FOUNDATION
GoSecure Titan® Endpoint Detection and Response (EDR)
GoSecure Titan® Next Generation Antivirus (NGAV)
GoSecure Titan® Network Detection and Response (NDR)
GoSecure Titan® Inbox Detection and Reponse (IDR)
GoSecure Titan® Intelligence
×
ABOUT GOSECURE
GoSecure is a recognized cybersecurity leader and innovator, pioneering the
integration of endpoint, network, and email threat detection into a single
Managed Extended Detection and Response (MXDR) service. For over 20 years,
GoSecure has been helping customers better understand their security gaps and
improve their organizational risk and security maturity through MXDR and
Professional Services solutions delivered by one of the most trusted and skilled
teams in the industry.
About Us
Leadership
Board of Directors
Careers
EVENT CALENDAR
Jun 5 CPX VIP Dinner
Jun 11 CS4CA Canada 2024
View Calendar
GoSec
LATEST PRESS RELEASE
GOSECURE APPOINTS ERIC ROCHETTE TO CHIEF TECHNOLOGY OFFICER (CTO)
GoSecure, a leading provider of managed detection and response solutions along
with expert professional services, proudly announces the promotion...
read more
GOSECURE NEWSROOM
REQUEST A MEDIA KIT
×
GOSECURE BLOG
MAXIMIZING EMPLOYEE PROTECTION BY RETHINKING EXPECTATIONS OF PHISHING AWARENESS
AND EMAIL SECURITY
Apr 26, 2024
Blaming users for falling victim to phishing...
HACK TO THE FUTURE: THE ATTACK SURFACE OF GPS SIGNALS
Mar 11, 2024
In an era where our critical infrastructures...
PHISHING MAY HAVE JUST BECOME A LOT HARDER TO DETECT…
Feb 20, 2024
We are on the upward trajectory of AI. AI can be...
READ MORE
RESOURCES
Case Studies
Datasheets & Brochures
eBooks
Whitepapers & Reports
Webinars & Podcasts
Videos & Infographics
Technical & User Guides
SEE LIBRARY
SECURITY ADVISORIES
COMBATING ADVANCED CYBER THREATS: GOSECURE’S PROACTIVE DEFENSE AGAINST THE
IVANTI CONNECT SECURE VPN BREACH
Ivanti Connect Secure VPN faced a significant security breach involving two
critical...
read more
ENHANCING CYBER RISK DIALOGUE: LESSONS FROM SEC’S RECENT ACTION
As a reaction to a number of major corporate and accounting scandals (namely
Enron and WorldCom),...
read more
SEE ALL ADVISORIES
×
GET A DEMO
k
BUILD A QUOTE
BECOME A PARTNER
×
24/7 Emergency – (888)-287-5858 Titan Portal LoginSupportContact UsBlog
* Français
* What We Do
* GoSecure Titan® Managed Extended Detection & Response (MXDR)
* GoSecure Titan® Managed Extended Detection & Response (MXDR) Foundation
* GoSecure Titan® Vulnerability Management as a Service (VMaaS)
* GoSecure Titan® Managed Security Information and Event Monitoring (SIEM)
* GoSecure Titan® Managed Perimeter Defense (MPD)
* GoSecure Titan® Inbox Detection & Response (IDR)
* GoSecure Titan® Secure Email Gateway (SEG)
* GoSecure Titan® Threat Modeler
* GoSecure Titan® Identity
* GoSecure Titan® Platform
* GoSecure Professional Security Services
* GoSecure Incident Response Services (IRS)
* GoSecure Security Maturity Assessment
* GoSecure Privacy Services
* GoSecure PCI DSS Services
* GoSecure Penetration Testing Services
* GoSecure Security Operations
* MXDR For Microsoft
* Why GoSecure
* MXDR Investment
* Use Cases
* Cyber Risk
* Cybersecurity Compliance
* Ransomware
* Zero-Day Attacks
* Sensitive Data Security
* Cyber Insurance
* Consolidate, Evolve & Thrive
* 24/7 MXDR
* GoSecure Titan® Endpoint Detection and Response (EDR)
* GoSecure Titan® Next Generation Antivirus (NGAV)
* GoSecure Titan® Network Detection and Response (NDR)
* GoSecure Titan® Inbox Detection and Response (IDR)
* GoSecure Titan® Intelligence
* Company
* About GoSecure
* Leadership
* Board of Directors
* Careers
* Events
* Event Calendar
* GoSec
* Newsroom
* Request A Media Kit
* Resources
* GoSecure Blog
* Resources
* White Papers & Reports
* eBooks
* Case Studies
* Datasheets & Brochures
* Webinars & Podcasts
* Videos & Infographics
* Technical Guides
* See Library
* Security Advisories
* Partners
* Get Secure
* What We Do
* GoSecure Titan® Managed Extended Detection & Response (MXDR)
* GoSecure Titan® Managed Extended Detection & Response (MXDR) Foundation
* GoSecure Titan® Vulnerability Management as a Service (VMaaS)
* GoSecure Titan® Managed Security Information and Event Monitoring (SIEM)
* GoSecure Titan® Managed Perimeter Defense (MPD)
* GoSecure Titan® Inbox Detection & Response (IDR)
* GoSecure Titan® Secure Email Gateway (SEG)
* GoSecure Titan® Threat Modeler
* GoSecure Titan® Identity
* GoSecure Titan® Platform
* GoSecure Professional Security Services
* GoSecure Incident Response Services (IRS)
* GoSecure Security Maturity Assessment
* GoSecure Privacy Services
* GoSecure PCI DSS Services
* GoSecure Penetration Testing Services
* GoSecure Security Operations
* MXDR For Microsoft
* Why GoSecure
* MXDR Investment
* Use Cases
* Cyber Risk
* Cybersecurity Compliance
* Ransomware
* Zero-Day Attacks
* Sensitive Data Security
* Cyber Insurance
* Consolidate, Evolve & Thrive
* 24/7 MXDR
* GoSecure Titan® Endpoint Detection and Response (EDR)
* GoSecure Titan® Next Generation Antivirus (NGAV)
* GoSecure Titan® Network Detection and Response (NDR)
* GoSecure Titan® Inbox Detection and Response (IDR)
* GoSecure Titan® Intelligence
* Company
* About GoSecure
* Leadership
* Board of Directors
* Careers
* Events
* Event Calendar
* GoSec
* Newsroom
* Request A Media Kit
* Resources
* GoSecure Blog
* Resources
* White Papers & Reports
* eBooks
* Case Studies
* Datasheets & Brochures
* Webinars & Podcasts
* Videos & Infographics
* Technical Guides
* See Library
* Security Advisories
* Partners
* Get Secure
CURRENT MFA FATIGUE ATTACK CAMPAIGN TARGETING MICROSOFT OFFICE 365 USERS
by Lisandro Ubiedo | Feb 14, 2022
Multi-factor Authentication or MFA (sometimes referred as 2FA) is an excellent
way to protect your Office 365 accounts from attackers trying to gain access to
them. As a second form of protection, along with passwords, it supplies another
step in the process to verify the real identity of the user trying to log in.
There are many MFA options including SMS, One Time Passwords (OTP) and push
notifications from an app. And while the intent of these methods is to provide
extra protection, attackers have also begun to look for ways to compromise what
should be a security enhancing practice. In this case, we are examining MFA
Fatigue by focusing on a current attack vector—Push Notification Spamming. We’ll
describe what MFA fatigue is, how it is carried out and detail the steps for IT
professionals to detect and mitigate it within their organizations.
CURRENT ATTACK CAMPAIGNS
GoSecure Titan Labs identified new threat vectors using MFA Fatigue attacks
based on recent investigations. Our team has also observed a significant
increase in the number of attacks performed using this technique.
In the wild, highly motivated and known threat actors are actively using this
kind of method to penetrate Office 365 accounts and compromise entire
organizations. As app-based authentication mechanisms are being adopted
increasingly as a safer way to authenticate a user (versus SMS or phone call) it
is expected that this tendency will grow in the future, even be encouraged by
Microsoft itself.
WHAT IS MFA FATIGUE?
The term “MFA Fatigue” refers to the overload of notifications or prompts via
MFA applications, in multiple accounts, that the user receives during the day to
perform logins or approve different actions. It should not be confused with
“Password Fatigue” in which the user is overwhelmed with the number of passwords
or PINs they must remember for multiple accounts or events. MFA Fatigue and
Password Fatigue do share a similar theme, that the user is “fatigued” (or
overwhelmed by volume) and will start setting security best practices aside and
become careless, putting their organization and their accounts in danger of
compromise.
As previously mentioned, MFA can use a diverse set of mediums to authenticate
the user, such as SMS messages or phone calls where the user authenticates their
identity via a pre-configured phone number. One Time Password or OTP is another
way to verify the user’s identity by generating a passcode that is updated in
fixed time intervals. Another choice is push notifications from an app. This is
the authentication method we are going to be focusing on, as it enables an
attacker to perform a push notification spamming attack.
WHAT IS PUSH NOTIFICATION SPAMMING?
This technique is simple as it only requires the attacker to manually, or even
automatically, send repeated push notifications while trying to log into the
victim’s account. The credentials used could be obtained via brute forcing,
password reuse or spraying. Once the attacker obtains valid credentials, they
will perform the push notification spamming repeatedly until the user approves
the login attempt and lets the attacker gain access to the account. This usually
happens because the user is distracted or overwhelmed by the notifications and,
in some cases, it can be misinterpreted as a bug or confused with other
legitimate authentication requests.
This attack is particularly effective not because of the technology involved,
but because it targets the human factor of MFA. Many MFA users are not familiar
with this type of attack and would not understand they are approving a
fraudulent notification. Others just want to make it disappear and are simply
not aware of what they are doing since they approve similar notifications all
the time. They can’t see through the ‘notification overload’ to spot the
threat.
HOW TO DETECT MULTIPLE PUSH NOTIFICATIONS ATTEMPTS IN MICROSOFT 365?
Luckily, this type of attack can be detected directly from the Azure portal by
inspecting the Sign-in Logs. We highly recommend that IT professionals take the
following steps:
1. Go to the Azure Active Directory administration center.
2. Under the Monitoring you will find Sign-in Logs, where the information about
user’s sign-ins and resources are logged.
3. Then filter the sign-in Status by Failure to obtain a list of MFA push
notifications denied.
4. From here, start investigating each activity individually by going to the
Authentication Details.
5. Multiple events should be seen as Mobile app notification under the
Authentication Method column.
6. Push notifications spamming should be false under the Succeed column and MFA
denied; user declined the authentication under Result detail.
LOG ANALYTICS & SENTINEL
Azure Log Analytics can also be used to analyze the queries in search of this
kind of behavior. A query like this can retrieve a lot of information that can
be used to detect these attacks:
SigninLogs
| where TimeGenerated >= ago(31d)
| where ResultType == 500121
| where Status has "MFA Denied; user declined the authentication"
This query should retrieve the entries found in the last month and can be
customized to retrieve even more results or create alert rules to be notified
based on the results of searches.
If Azure Sentinel is in use, then hunting queries can be applied to also catch,
alert and even mitigate these attacks by implementing playbooks in response to
matches. Some examples can be found in the Azure Sentinel hunting queries
repository.
HOW TO MITIGATE PUSH NOTIFICATION SPAMMING
There are many ways to mitigate this type of attack. Here, we are going to
highlight some of them so that M365 administrators can choose whatever fits
their needs. We are going focus on push notifications, since password complexity
rules and password reuse mitigations should already be in place.
CONFIGURING SERVICE LIMITS
One effective way to protect your Microsoft 365 accounts against this attack is
to configure the default limits of the Multi-Factor Authentication service.
These limits, both default and maximum, can be found in Azure Resource Manager
documentation.
PHONE SIGN-IN
A user can help prevent inadvertent access to their account by using the
Microsoft Authenticator’s phone sign-in verification method. In this scenario, a
unique two-digit number is generated and must be confirmed on both sides. This
is very hard for an attacker to compromise since the attacker is shown a number
that must be guessed in the phone (which the attacker doesn’t have access to).
Only the attacker will know the number and to approve access, the user would
have to pick a number out of three options. This way it will diminish the
possibilities of approving said access. Here you can learn more about this
verification method.
Courtesy of Microsoft.
DISABLE PUSH NOTIFICATIONS AS VERIFICATION METHOD
This is a radical move, but a quick solution as will disable the use of push
notification as a verification method. These are the steps to make this change:
1. Go to the Azure Active Directory administration center.
2. Select Per-user MFA.
3. Under Multi-factor Authentication at the top of the page, select Service
Settings.
4. On the Service Settings page, under verification options, and clear the
Notification through mobile app checkbox.
5. Then click Save.
CONCLUSION
As we discussed in this post, MFA Fatigue is a real concern with potential
implications to compromise Microsoft Office 365 accounts, but there are many
ways to protect ourselves from MFA Fatigue and the current rise in Push
Notification Spamming attacks. To learn more about GoSecure Titan Labs latest
updates and research, check this blog regularly and follow GoSecure on Twitter
and LinkedIn.
SEARCH
Search for:
CATEGORIES
Categories Select Category .Net AAP Active Directory Advisory Services Alt Sec
Con Android AppSec Artificial Intelligence ASP.net Assessment Auditor Automation
Backdoor Bazarloader Binary Analysis Bitcoin BlackHat BluStealer Botnet Breach
Readiness Brute Force Burp C# Checkpoint Christmas Chrome CI/CD Cisco Code
Review Compliance Conference Confoo COVID-19 Credential Stuffing Criminal Market
Criminology Cryptography CSP Cybercrime Cybersecurity Cybersecurity Assessment
Cybersecurity Audits Cybersecurity Risk Cybersecurity Roadmaps Cybersecurity
Statistics Cybersecurity Strategy Darknet Deserialization Detection Development
Devops DNS Dynamic Analysis EDR Email Email Security Engineering Enterprise ESI
ESI Tags Ethical Hacking Events Exploit Exploitation Find-Sec-Bugs Firewall
Fraud Fuzzing GoSecure Titan Hackers Hacktoberfest Header Honeypot HTTP IDR
Incident Response Industry IoT Java Jboss Jenkins Jetpack Kotlin Lansweeper
Leaks LinkedIn Linux Log4j Log4Shell Malboxes Malware Malware Research
Man-In-The-Middle Manipulation MDR Media MFA Moose MSBuild MSSP NorthSec NTLM
Opcache Open-Source Opinion Oracle OSINT OWASP Password PCI DSS PDF Penetration
Testing Pentest PeopleSoft Phishing PHP PHP7 Plugin Privacy Privilege-Escalation
Process Proxy Purple Team PYRDP Ransomware RCE RDP RequestValidation Research
Roslyn SDLC Security Security Advisory Security Framework Security Maturity
Security Measures Sextortion Social Media SPEL Spring SQL Static Analysis
Statistics Canada Threat Threat-Intelligence Titan Labs Tool Uncategorized Video
Visual Studio VoIP Vulnerability WAF Web Weblogic Windows Wordpress WSUS XSS Zap
RECENT POSTS
* Maximizing Employee Protection by Rethinking Expectations of Phishing
Awareness and Email Security
* Hack to the future: The Attack Surface of GPS Signals
* Phishing may have just become a lot harder to detect…
* Beyond the Script: Attacker’s Sleep Schedule and Strategies Behind Automated
Attacks
* Combating Advanced Cyber Threats: GoSecure’s Proactive Defense Against the
Ivanti Connect Secure VPN Breach
* Merry and Secure: Unwrapping the Truth Around Malicious Hackers Activities
During Holiday Season
* From Spraying and Praying to Custom Attacks: Different Playbooks for the
Different Types of Malicious Actors Targeting RDP
* Enhancing Cyber Risk Dialogue: Lessons from SEC’s Recent Action
CONTACT US
(855) 893-5428
* Follow
* Follow
* Follow
WHAT WE DO
GoSecure Titan®
Managed Extended
Detection & Response
GoSecure Titan® Platform
GoSecure Professional
Security Services
GoSecure Titan®
MXDR for Microsoft
COMPANY
About Us
Blog
Library
Careers
Privacy Notice
Support
BECOME A PARTNER
GLOBAL HEADQUARTERS
13220 Evening Creek Dr.S
Suite 107
San Diego, CA 92128
Tel: 855-893-5428
JOIN 200,000+ SECURITY LEADERS
SIGN UP FOR OUR COMMUNICATIONS TO RECEIVE OUR LATEST NEWS, EVENTS, HELPFUL
ASSETS, AND LEARN MORE.
EMAIL SUBSCRIPTION
Email
Consent(Required)
I consent to receive communications from GoSecure and I agree to the Privacy
Notice.
Phone
This field is for validation purposes and should be left unchanged.
2024 © GoSecure, Inc. All Rights Reserved.
24/7 Emergency – (888)-287-5858
Notifications