gosecure.ai
Open in
urlscan Pro
141.193.213.11
Public Scan
Submitted URL: https://www.gosecure.net/blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/
Effective URL: https://gosecure.ai/blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/
Submission: On May 31 via api from US — Scanned from DE
Effective URL: https://gosecure.ai/blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/
Submission: On May 31 via api from US — Scanned from DE
Form analysis
4 forms found in the DOMGET https://gosecure.ai/
<form role="search" method="get" class="et_pb_menu__search-form" action="https://gosecure.ai/">
<input type="search" class="et_pb_menu__search-input" placeholder="Search …" name="s" title="Search for:">
</form>
GET https://gosecure.ai/
<form role="search" method="get" id="searchform" class="searchform" action="https://gosecure.ai/">
<div>
<label class="screen-reader-text" for="s">Search for:</label>
<input type="text" value="" name="s" id="s">
<input type="submit" id="searchsubmit" value="Search">
</div>
</form>
GET https://gosecure.ai
<form action="https://gosecure.ai" method="get"><label class="screen-reader-text" for="cat">Categories</label><select name="cat" id="cat" class="postform">
<option value="-1">Select Category</option>
<option class="level-0" value="54">.Net</option>
<option class="level-0" value="90">AAP</option>
<option class="level-0" value="107">Active Directory</option>
<option class="level-0" value="328">Advisory Services</option>
<option class="level-0" value="13">Alt Sec Con</option>
<option class="level-0" value="100">Android</option>
<option class="level-0" value="72">AppSec</option>
<option class="level-0" value="441">Artificial Intelligence</option>
<option class="level-0" value="15">ASP.net</option>
<option class="level-0" value="327">Assessment</option>
<option class="level-0" value="34">Auditor</option>
<option class="level-0" value="42">Automation</option>
<option class="level-0" value="33">Backdoor</option>
<option class="level-0" value="297">Bazarloader</option>
<option class="level-0" value="110">Binary Analysis</option>
<option class="level-0" value="98">Bitcoin</option>
<option class="level-0" value="55">BlackHat</option>
<option class="level-0" value="350">BluStealer</option>
<option class="level-0" value="47">Botnet</option>
<option class="level-0" value="330">Breach Readiness</option>
<option class="level-0" value="301">Brute Force</option>
<option class="level-0" value="35">Burp</option>
<option class="level-0" value="49">C#</option>
<option class="level-0" value="61">Checkpoint</option>
<option class="level-0" value="58">Christmas</option>
<option class="level-0" value="384">Chrome</option>
<option class="level-0" value="383">CI/CD</option>
<option class="level-0" value="60">Cisco</option>
<option class="level-0" value="94">Code Review</option>
<option class="level-0" value="258">Compliance</option>
<option class="level-0" value="11">Conference</option>
<option class="level-0" value="16">Confoo</option>
<option class="level-0" value="259">COVID-19</option>
<option class="level-0" value="372">Credential Stuffing</option>
<option class="level-0" value="48">Criminal Market</option>
<option class="level-0" value="431">Criminology</option>
<option class="level-0" value="21">Cryptography</option>
<option class="level-0" value="36">CSP</option>
<option class="level-0" value="99">Cybercrime</option>
<option class="level-0" value="108">Cybersecurity</option>
<option class="level-0" value="317">Cybersecurity Assessment</option>
<option class="level-0" value="320">Cybersecurity Audits</option>
<option class="level-0" value="319">Cybersecurity Risk</option>
<option class="level-0" value="321">Cybersecurity Roadmaps</option>
<option class="level-0" value="101">Cybersecurity Statistics</option>
<option class="level-0" value="318">Cybersecurity Strategy</option>
<option class="level-0" value="92">Darknet</option>
<option class="level-0" value="66">Deserialization</option>
<option class="level-0" value="65">Detection</option>
<option class="level-0" value="85">Development</option>
<option class="level-0" value="43">Devops</option>
<option class="level-0" value="64">DNS</option>
<option class="level-0" value="111">Dynamic Analysis</option>
<option class="level-0" value="88">EDR</option>
<option class="level-0" value="119">Email</option>
<option class="level-0" value="366">Email Security</option>
<option class="level-0" value="382">Engineering</option>
<option class="level-0" value="30">Enterprise</option>
<option class="level-0" value="91">ESI</option>
<option class="level-0" value="109">ESI Tags</option>
<option class="level-0" value="374">Ethical Hacking</option>
<option class="level-0" value="403">Events</option>
<option class="level-0" value="68">Exploit</option>
<option class="level-0" value="22">Exploitation</option>
<option class="level-0" value="116">Find-Sec-Bugs</option>
<option class="level-0" value="62">Firewall</option>
<option class="level-0" value="81">Fraud</option>
<option class="level-0" value="112">Fuzzing</option>
<option class="level-0" value="381">GoSecure Titan</option>
<option class="level-0" value="418">Hackers</option>
<option class="level-0" value="352">Hacktoberfest</option>
<option class="level-0" value="39">Header</option>
<option class="level-0" value="103">Honeypot</option>
<option class="level-0" value="40">HTTP</option>
<option class="level-0" value="348">IDR</option>
<option class="level-0" value="386">Incident Response</option>
<option class="level-0" value="76">Industry</option>
<option class="level-0" value="10">IoT</option>
<option class="level-0" value="45">Java</option>
<option class="level-0" value="69">Jboss</option>
<option class="level-0" value="70">Jenkins</option>
<option class="level-0" value="302">Jetpack</option>
<option class="level-0" value="87">Kotlin</option>
<option class="level-0" value="23">Lansweeper</option>
<option class="level-0" value="93">Leaks</option>
<option class="level-0" value="311">LinkedIn</option>
<option class="level-0" value="12">Linux</option>
<option class="level-0" value="368">Log4j</option>
<option class="level-0" value="369">Log4Shell</option>
<option class="level-0" value="63">Malboxes</option>
<option class="level-0" value="9">Malware</option>
<option class="level-0" value="298">Malware Research</option>
<option class="level-0" value="105">Man-In-The-Middle</option>
<option class="level-0" value="80">Manipulation</option>
<option class="level-0" value="349">MDR</option>
<option class="level-0" value="77">Media</option>
<option class="level-0" value="387">MFA</option>
<option class="level-0" value="57">Moose</option>
<option class="level-0" value="53">MSBuild</option>
<option class="level-0" value="89">MSSP</option>
<option class="level-0" value="14">NorthSec</option>
<option class="level-0" value="106">NTLM</option>
<option class="level-0" value="26">Opcache</option>
<option class="level-0" value="117">Open-Source</option>
<option class="level-0" value="78">Opinion</option>
<option class="level-0" value="31">Oracle</option>
<option class="level-0" value="315">OSINT</option>
<option class="level-0" value="118">OWASP</option>
<option class="level-0" value="24">Password</option>
<option class="level-0" value="260">PCI DSS</option>
<option class="level-0" value="113">PDF</option>
<option class="level-0" value="362">Penetration Testing</option>
<option class="level-0" value="83">Pentest</option>
<option class="level-0" value="32">PeopleSoft</option>
<option class="level-0" value="120">Phishing</option>
<option class="level-0" value="27">PHP</option>
<option class="level-0" value="28">PHP7</option>
<option class="level-0" value="41">Plugin</option>
<option class="level-0" value="264">Privacy</option>
<option class="level-0" value="84">Privilege-Escalation</option>
<option class="level-0" value="73">Process</option>
<option class="level-0" value="86">Proxy</option>
<option class="level-0" value="375">Purple Team</option>
<option class="level-0" value="115">PYRDP</option>
<option class="level-0" value="75">Ransomware</option>
<option class="level-0" value="95">RCE</option>
<option class="level-0" value="104">RDP</option>
<option class="level-0" value="17">RequestValidation</option>
<option class="level-0" value="46">Research</option>
<option class="level-0" value="50">Roslyn</option>
<option class="level-0" value="74">SDLC</option>
<option class="level-0" value="51">Security</option>
<option class="level-0" value="436">Security Advisory</option>
<option class="level-0" value="331">Security Framework</option>
<option class="level-0" value="329">Security Maturity</option>
<option class="level-0" value="287">Security Measures</option>
<option class="level-0" value="121">Sextortion</option>
<option class="level-0" value="79">Social Media</option>
<option class="level-0" value="96">SPEL</option>
<option class="level-0" value="97">Spring</option>
<option class="level-0" value="353">SQL</option>
<option class="level-0" value="44">Static Analysis</option>
<option class="level-0" value="102">Statistics Canada</option>
<option class="level-0" value="29">Threat</option>
<option class="level-0" value="114">Threat-Intelligence</option>
<option class="level-0" value="340">Titan Labs</option>
<option class="level-0" value="37">Tool</option>
<option class="level-0" value="1">Uncategorized</option>
<option class="level-0" value="56">Video</option>
<option class="level-0" value="52">Visual Studio</option>
<option class="level-0" value="59">VoIP</option>
<option class="level-0" value="71">Vulnerability</option>
<option class="level-0" value="354">WAF</option>
<option class="level-0" value="25">Web</option>
<option class="level-0" value="67">Weblogic</option>
<option class="level-0" value="82">Windows</option>
<option class="level-0" value="303">Wordpress</option>
<option class="level-0" value="361">WSUS</option>
<option class="level-0" value="18">XSS</option>
<option class="level-0" value="38">Zap</option>
</select>
</form>
POST /blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/
<form method="post" enctype="multipart/form-data" id="gform_13" action="/blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/" data-formid="13" novalidate="">
<div class="gform-body gform_body">
<div id="gform_fields_13" class="gform_fields top_label form_sublabel_above description_below">
<div id="field_13_1" class="gfield gfield--type-email gfield--input-type-email field_sublabel_above gfield--no-description field_description_below hidden_label gfield_visibility_visible" data-js-reload="field_13_1"><label
class="gfield_label gform-field-label" for="input_13_1">Email</label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_13_1" type="email" value="" class="medium" aria-invalid="false">
</div>
</div>
<fieldset id="field_13_2" class="gfield gfield--type-consent gfield--type-choice gfield--input-type-consent gfield_contains_required field_sublabel_above gfield--no-description field_description_below gfield_visibility_visible"
data-js-reload="field_13_2">
<legend class="gfield_label gform-field-label gfield_label_before_complex">Consent<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_consent"><input name="input_2.1" id="input_13_2_1" type="checkbox" value="1" aria-required="true" aria-invalid="false"> <label
class="gform-field-label gform-field-label--type-inline gfield_consent_label" for="input_13_2_1">I consent to receive communications from GoSecure and I agree to the Privacy Notice.</label><input type="hidden" name="input_2.2"
value="I consent to receive communications from GoSecure and I agree to the Privacy Notice." class="gform_hidden"><input type="hidden" name="input_2.3" value="8" class="gform_hidden"></div>
</fieldset>
<div id="field_13_3" class="gfield gfield--type-honeypot gform_validation_container field_sublabel_above gfield--has-description field_description_below gfield_visibility_visible" data-js-reload="field_13_3"><label
class="gfield_label gform-field-label" for="input_13_3">Phone</label>
<div class="ginput_container"><input name="input_3" id="input_13_3" type="text" value="" autocomplete="new-password"></div>
<div class="gfield_description" id="gfield_description_13_3">This field is for validation purposes and should be left unchanged.</div>
</div>
</div>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_13" class="gform_button button" value="SUBMIT"
onclick="if(window["gf_submitting_13"]){return false;} if( !jQuery("#gform_13")[0].checkValidity || jQuery("#gform_13")[0].checkValidity()){window["gf_submitting_13"]=true;} "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_13"]){return false;} if( !jQuery("#gform_13")[0].checkValidity || jQuery("#gform_13")[0].checkValidity()){window["gf_submitting_13"]=true;} jQuery("#gform_13").trigger("submit",[true]); }">
<input type="hidden" class="gform_hidden" name="is_submit_13" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="13">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_13"
value="WyJ7XCIyLjFcIjpcIjFjM2E0ZmQzN2YxZjMwZGNiZDg4YzI1MDlmYWQzM2Q4XCIsXCIyLjJcIjpcIjgyYjMxODQ1ZmFhNmMxNTE3NzUxYmFiODM5NTYyYmRmXCIsXCIyLjNcIjpcImU3NDk5MDllZjlmMDE2MGNmNmVlNTZkZjQ5NDcwNWZjXCJ9IiwiZWQ3ZTI0M2FiMTFjMmNjZGQ3NGFkZTdlODc3ZWIzOGIiXQ==">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_13" id="gform_target_page_number_13" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_13" id="gform_source_page_number_13" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>
Text Content
We value your privacy This website and its third-party tools may process personal data. We do not sell your personal information. We may share information with our partners, but you have the option to opt out if you wish. To exercise this option, please click on the 'Do Not Share My Personal Information' link. Do Not Share My Personal Information Opt-out Preferences We use third-party cookies that help us analyze how you use this website, store your preferences, and provide the content and advertisements that are relevant to you. However, you can opt out of these cookies by checking "Do Not Share My Personal Information" and clicking the "Save My Preferences" button. Once you opt out, you can opt in again at any time by unchecking "Do Not Share My Personal Information" and clicking the "Save My Preferences" button. Do Not Share My Personal Information Cancel Save My Preferences GoSecure Titan® Managed Extended Detection & Response (MXDR) GoSecure Titan® Managed Extended Detection & Response (MXDR) Foundation GoSecure Titan® Vulnerability Management as a Service (VMaaS) GoSecure Titan® Managed Security Information & Event Monitoring (SIEM) GoSecure Titan® Managed Perimeter Defense (MPD) GoSecure Titan® Inbox Detection and Response (IDR) GoSecure Titan® Secure Email Gateway (SEG) GoSecure Titan® Threat Modeler GoSecure Titan® Identity GoSecure Titan® Platform GoSecure Professional Security Services Incident Response Services Security Maturity Assessment Privacy Services PCI DSS Services Penetration Testing Services Security Operations GoSecure MXDR for Microsoft Comprehensive visibility and response within your Microsoft security environment LEARN MORE × GET A QUOTE USE CASES CYBER RISKS Risk-Based Security Measures SENSITIVE DATA SECURITY Safeguard sensitive information PRIVATE EQUITY FIRMS Make informed decisions CYBERSECURITY COMPLIANCE Fulfill regulatory obligations CYBER INSURANCE A valuable risk management strategy RANSOMWARE Combat ransomware with innovative security ZERO-DAY ATTACKS Halt zero-day exploits with advanced protection CONSOLIDATE, EVOLVE & THRIVE Get ahead and win the race with the GoSecure Titan® Platform 24/7 MXDR FOUNDATION GoSecure Titan® Endpoint Detection and Response (EDR) GoSecure Titan® Next Generation Antivirus (NGAV) GoSecure Titan® Network Detection and Response (NDR) GoSecure Titan® Inbox Detection and Reponse (IDR) GoSecure Titan® Intelligence × ABOUT GOSECURE GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry. About Us Leadership Board of Directors Careers EVENT CALENDAR Jun 5 CPX VIP Dinner Jun 11 CS4CA Canada 2024 View Calendar GoSec LATEST PRESS RELEASE GOSECURE APPOINTS ERIC ROCHETTE TO CHIEF TECHNOLOGY OFFICER (CTO) GoSecure, a leading provider of managed detection and response solutions along with expert professional services, proudly announces the promotion... read more GOSECURE NEWSROOM REQUEST A MEDIA KIT × GOSECURE BLOG MAXIMIZING EMPLOYEE PROTECTION BY RETHINKING EXPECTATIONS OF PHISHING AWARENESS AND EMAIL SECURITY Apr 26, 2024 Blaming users for falling victim to phishing... HACK TO THE FUTURE: THE ATTACK SURFACE OF GPS SIGNALS Mar 11, 2024 In an era where our critical infrastructures... PHISHING MAY HAVE JUST BECOME A LOT HARDER TO DETECT… Feb 20, 2024 We are on the upward trajectory of AI. AI can be... READ MORE RESOURCES Case Studies Datasheets & Brochures eBooks Whitepapers & Reports Webinars & Podcasts Videos & Infographics Technical & User Guides SEE LIBRARY SECURITY ADVISORIES COMBATING ADVANCED CYBER THREATS: GOSECURE’S PROACTIVE DEFENSE AGAINST THE IVANTI CONNECT SECURE VPN BREACH Ivanti Connect Secure VPN faced a significant security breach involving two critical... read more ENHANCING CYBER RISK DIALOGUE: LESSONS FROM SEC’S RECENT ACTION As a reaction to a number of major corporate and accounting scandals (namely Enron and WorldCom),... read more SEE ALL ADVISORIES × GET A DEMO k BUILD A QUOTE BECOME A PARTNER × 24/7 Emergency – (888)-287-5858 Titan Portal LoginSupportContact UsBlog * Français * What We Do * GoSecure Titan® Managed Extended Detection & Response (MXDR) * GoSecure Titan® Managed Extended Detection & Response (MXDR) Foundation * GoSecure Titan® Vulnerability Management as a Service (VMaaS) * GoSecure Titan® Managed Security Information and Event Monitoring (SIEM) * GoSecure Titan® Managed Perimeter Defense (MPD) * GoSecure Titan® Inbox Detection & Response (IDR) * GoSecure Titan® Secure Email Gateway (SEG) * GoSecure Titan® Threat Modeler * GoSecure Titan® Identity * GoSecure Titan® Platform * GoSecure Professional Security Services * GoSecure Incident Response Services (IRS) * GoSecure Security Maturity Assessment * GoSecure Privacy Services * GoSecure PCI DSS Services * GoSecure Penetration Testing Services * GoSecure Security Operations * MXDR For Microsoft * Why GoSecure * MXDR Investment * Use Cases * Cyber Risk * Cybersecurity Compliance * Ransomware * Zero-Day Attacks * Sensitive Data Security * Cyber Insurance * Consolidate, Evolve & Thrive * 24/7 MXDR * GoSecure Titan® Endpoint Detection and Response (EDR) * GoSecure Titan® Next Generation Antivirus (NGAV) * GoSecure Titan® Network Detection and Response (NDR) * GoSecure Titan® Inbox Detection and Response (IDR) * GoSecure Titan® Intelligence * Company * About GoSecure * Leadership * Board of Directors * Careers * Events * Event Calendar * GoSec * Newsroom * Request A Media Kit * Resources * GoSecure Blog * Resources * White Papers & Reports * eBooks * Case Studies * Datasheets & Brochures * Webinars & Podcasts * Videos & Infographics * Technical Guides * See Library * Security Advisories * Partners * Get Secure * What We Do * GoSecure Titan® Managed Extended Detection & Response (MXDR) * GoSecure Titan® Managed Extended Detection & Response (MXDR) Foundation * GoSecure Titan® Vulnerability Management as a Service (VMaaS) * GoSecure Titan® Managed Security Information and Event Monitoring (SIEM) * GoSecure Titan® Managed Perimeter Defense (MPD) * GoSecure Titan® Inbox Detection & Response (IDR) * GoSecure Titan® Secure Email Gateway (SEG) * GoSecure Titan® Threat Modeler * GoSecure Titan® Identity * GoSecure Titan® Platform * GoSecure Professional Security Services * GoSecure Incident Response Services (IRS) * GoSecure Security Maturity Assessment * GoSecure Privacy Services * GoSecure PCI DSS Services * GoSecure Penetration Testing Services * GoSecure Security Operations * MXDR For Microsoft * Why GoSecure * MXDR Investment * Use Cases * Cyber Risk * Cybersecurity Compliance * Ransomware * Zero-Day Attacks * Sensitive Data Security * Cyber Insurance * Consolidate, Evolve & Thrive * 24/7 MXDR * GoSecure Titan® Endpoint Detection and Response (EDR) * GoSecure Titan® Next Generation Antivirus (NGAV) * GoSecure Titan® Network Detection and Response (NDR) * GoSecure Titan® Inbox Detection and Response (IDR) * GoSecure Titan® Intelligence * Company * About GoSecure * Leadership * Board of Directors * Careers * Events * Event Calendar * GoSec * Newsroom * Request A Media Kit * Resources * GoSecure Blog * Resources * White Papers & Reports * eBooks * Case Studies * Datasheets & Brochures * Webinars & Podcasts * Videos & Infographics * Technical Guides * See Library * Security Advisories * Partners * Get Secure CURRENT MFA FATIGUE ATTACK CAMPAIGN TARGETING MICROSOFT OFFICE 365 USERS by Lisandro Ubiedo | Feb 14, 2022 Multi-factor Authentication or MFA (sometimes referred as 2FA) is an excellent way to protect your Office 365 accounts from attackers trying to gain access to them. As a second form of protection, along with passwords, it supplies another step in the process to verify the real identity of the user trying to log in. There are many MFA options including SMS, One Time Passwords (OTP) and push notifications from an app. And while the intent of these methods is to provide extra protection, attackers have also begun to look for ways to compromise what should be a security enhancing practice. In this case, we are examining MFA Fatigue by focusing on a current attack vector—Push Notification Spamming. We’ll describe what MFA fatigue is, how it is carried out and detail the steps for IT professionals to detect and mitigate it within their organizations. CURRENT ATTACK CAMPAIGNS GoSecure Titan Labs identified new threat vectors using MFA Fatigue attacks based on recent investigations. Our team has also observed a significant increase in the number of attacks performed using this technique. In the wild, highly motivated and known threat actors are actively using this kind of method to penetrate Office 365 accounts and compromise entire organizations. As app-based authentication mechanisms are being adopted increasingly as a safer way to authenticate a user (versus SMS or phone call) it is expected that this tendency will grow in the future, even be encouraged by Microsoft itself. WHAT IS MFA FATIGUE? The term “MFA Fatigue” refers to the overload of notifications or prompts via MFA applications, in multiple accounts, that the user receives during the day to perform logins or approve different actions. It should not be confused with “Password Fatigue” in which the user is overwhelmed with the number of passwords or PINs they must remember for multiple accounts or events. MFA Fatigue and Password Fatigue do share a similar theme, that the user is “fatigued” (or overwhelmed by volume) and will start setting security best practices aside and become careless, putting their organization and their accounts in danger of compromise. As previously mentioned, MFA can use a diverse set of mediums to authenticate the user, such as SMS messages or phone calls where the user authenticates their identity via a pre-configured phone number. One Time Password or OTP is another way to verify the user’s identity by generating a passcode that is updated in fixed time intervals. Another choice is push notifications from an app. This is the authentication method we are going to be focusing on, as it enables an attacker to perform a push notification spamming attack. WHAT IS PUSH NOTIFICATION SPAMMING? This technique is simple as it only requires the attacker to manually, or even automatically, send repeated push notifications while trying to log into the victim’s account. The credentials used could be obtained via brute forcing, password reuse or spraying. Once the attacker obtains valid credentials, they will perform the push notification spamming repeatedly until the user approves the login attempt and lets the attacker gain access to the account. This usually happens because the user is distracted or overwhelmed by the notifications and, in some cases, it can be misinterpreted as a bug or confused with other legitimate authentication requests. This attack is particularly effective not because of the technology involved, but because it targets the human factor of MFA. Many MFA users are not familiar with this type of attack and would not understand they are approving a fraudulent notification. Others just want to make it disappear and are simply not aware of what they are doing since they approve similar notifications all the time. They can’t see through the ‘notification overload’ to spot the threat. HOW TO DETECT MULTIPLE PUSH NOTIFICATIONS ATTEMPTS IN MICROSOFT 365? Luckily, this type of attack can be detected directly from the Azure portal by inspecting the Sign-in Logs. We highly recommend that IT professionals take the following steps: 1. Go to the Azure Active Directory administration center. 2. Under the Monitoring you will find Sign-in Logs, where the information about user’s sign-ins and resources are logged. 3. Then filter the sign-in Status by Failure to obtain a list of MFA push notifications denied. 4. From here, start investigating each activity individually by going to the Authentication Details. 5. Multiple events should be seen as Mobile app notification under the Authentication Method column. 6. Push notifications spamming should be false under the Succeed column and MFA denied; user declined the authentication under Result detail. LOG ANALYTICS & SENTINEL Azure Log Analytics can also be used to analyze the queries in search of this kind of behavior. A query like this can retrieve a lot of information that can be used to detect these attacks: SigninLogs | where TimeGenerated >= ago(31d) | where ResultType == 500121 | where Status has "MFA Denied; user declined the authentication" This query should retrieve the entries found in the last month and can be customized to retrieve even more results or create alert rules to be notified based on the results of searches. If Azure Sentinel is in use, then hunting queries can be applied to also catch, alert and even mitigate these attacks by implementing playbooks in response to matches. Some examples can be found in the Azure Sentinel hunting queries repository. HOW TO MITIGATE PUSH NOTIFICATION SPAMMING There are many ways to mitigate this type of attack. Here, we are going to highlight some of them so that M365 administrators can choose whatever fits their needs. We are going focus on push notifications, since password complexity rules and password reuse mitigations should already be in place. CONFIGURING SERVICE LIMITS One effective way to protect your Microsoft 365 accounts against this attack is to configure the default limits of the Multi-Factor Authentication service. These limits, both default and maximum, can be found in Azure Resource Manager documentation. PHONE SIGN-IN A user can help prevent inadvertent access to their account by using the Microsoft Authenticator’s phone sign-in verification method. In this scenario, a unique two-digit number is generated and must be confirmed on both sides. This is very hard for an attacker to compromise since the attacker is shown a number that must be guessed in the phone (which the attacker doesn’t have access to). Only the attacker will know the number and to approve access, the user would have to pick a number out of three options. This way it will diminish the possibilities of approving said access. Here you can learn more about this verification method. Courtesy of Microsoft. DISABLE PUSH NOTIFICATIONS AS VERIFICATION METHOD This is a radical move, but a quick solution as will disable the use of push notification as a verification method. These are the steps to make this change: 1. Go to the Azure Active Directory administration center. 2. Select Per-user MFA. 3. Under Multi-factor Authentication at the top of the page, select Service Settings. 4. On the Service Settings page, under verification options, and clear the Notification through mobile app checkbox. 5. Then click Save. CONCLUSION As we discussed in this post, MFA Fatigue is a real concern with potential implications to compromise Microsoft Office 365 accounts, but there are many ways to protect ourselves from MFA Fatigue and the current rise in Push Notification Spamming attacks. To learn more about GoSecure Titan Labs latest updates and research, check this blog regularly and follow GoSecure on Twitter and LinkedIn. SEARCH Search for: CATEGORIES Categories Select Category .Net AAP Active Directory Advisory Services Alt Sec Con Android AppSec Artificial Intelligence ASP.net Assessment Auditor Automation Backdoor Bazarloader Binary Analysis Bitcoin BlackHat BluStealer Botnet Breach Readiness Brute Force Burp C# Checkpoint Christmas Chrome CI/CD Cisco Code Review Compliance Conference Confoo COVID-19 Credential Stuffing Criminal Market Criminology Cryptography CSP Cybercrime Cybersecurity Cybersecurity Assessment Cybersecurity Audits Cybersecurity Risk Cybersecurity Roadmaps Cybersecurity Statistics Cybersecurity Strategy Darknet Deserialization Detection Development Devops DNS Dynamic Analysis EDR Email Email Security Engineering Enterprise ESI ESI Tags Ethical Hacking Events Exploit Exploitation Find-Sec-Bugs Firewall Fraud Fuzzing GoSecure Titan Hackers Hacktoberfest Header Honeypot HTTP IDR Incident Response Industry IoT Java Jboss Jenkins Jetpack Kotlin Lansweeper Leaks LinkedIn Linux Log4j Log4Shell Malboxes Malware Malware Research Man-In-The-Middle Manipulation MDR Media MFA Moose MSBuild MSSP NorthSec NTLM Opcache Open-Source Opinion Oracle OSINT OWASP Password PCI DSS PDF Penetration Testing Pentest PeopleSoft Phishing PHP PHP7 Plugin Privacy Privilege-Escalation Process Proxy Purple Team PYRDP Ransomware RCE RDP RequestValidation Research Roslyn SDLC Security Security Advisory Security Framework Security Maturity Security Measures Sextortion Social Media SPEL Spring SQL Static Analysis Statistics Canada Threat Threat-Intelligence Titan Labs Tool Uncategorized Video Visual Studio VoIP Vulnerability WAF Web Weblogic Windows Wordpress WSUS XSS Zap RECENT POSTS * Maximizing Employee Protection by Rethinking Expectations of Phishing Awareness and Email Security * Hack to the future: The Attack Surface of GPS Signals * Phishing may have just become a lot harder to detect… * Beyond the Script: Attacker’s Sleep Schedule and Strategies Behind Automated Attacks * Combating Advanced Cyber Threats: GoSecure’s Proactive Defense Against the Ivanti Connect Secure VPN Breach * Merry and Secure: Unwrapping the Truth Around Malicious Hackers Activities During Holiday Season * From Spraying and Praying to Custom Attacks: Different Playbooks for the Different Types of Malicious Actors Targeting RDP * Enhancing Cyber Risk Dialogue: Lessons from SEC’s Recent Action CONTACT US (855) 893-5428 * Follow * Follow * Follow WHAT WE DO GoSecure Titan® Managed Extended Detection & Response GoSecure Titan® Platform GoSecure Professional Security Services GoSecure Titan® MXDR for Microsoft COMPANY About Us Blog Library Careers Privacy Notice Support BECOME A PARTNER GLOBAL HEADQUARTERS 13220 Evening Creek Dr.S Suite 107 San Diego, CA 92128 Tel: 855-893-5428 JOIN 200,000+ SECURITY LEADERS SIGN UP FOR OUR COMMUNICATIONS TO RECEIVE OUR LATEST NEWS, EVENTS, HELPFUL ASSETS, AND LEARN MORE. EMAIL SUBSCRIPTION Email Consent(Required) I consent to receive communications from GoSecure and I agree to the Privacy Notice. Phone This field is for validation purposes and should be left unchanged. 2024 © GoSecure, Inc. All Rights Reserved. 24/7 Emergency – (888)-287-5858 Notifications