3 Ways to Mitigate MFA Prompt Bombing Attacks

It’s the middle of the night and your phone keeps waking you up with continuous MFA push notifications to authenticate access to one of your work accounts. While your first thought might be to accept and authenticate the access so you can go back to sleep, this action might result in your organization falling to a cyber-attack. This style of attack is referred to as MFA prompt bombing. While this form of attack on organizations has started to grab headlines, it’s not new and many users and their security teams are less aware of the new attack technique. In this blog post, we will provide an overview of how MFA prompt bombing attacks work, the challenges they provide, and Silverfort’s proactive recommendations.

What is MFA prompt bombing?

MFA prompt bombing is a low-complexity attack by cybercriminals where the goal is to gain access to a system or application that is protected by MFA. The attacker will send many MFA approval requests to a user in a short period of time hoping that the user will be irritated by the numerous MFA requests and will unknowingly give the attacker access. On most occasions, the attacker will target the user at an inopportune time, allowing for a more successful rate of unauthorized access.

Although MFA prompt bombing has been around for several years, attackers are now deploying these methods of attacks at a more frequent pace. While attackers continue to deploy this attack technique to many users within an organization until a user accepts the authentication request which bypasses standard MFA protection. The security industry sees MFA prompt bombing as a form of social engineering.

While social engineering is usually associated with spear-phishing emails, it refers to any manipulation of human weakness.

No matter the level of annoyance created by MFA prompt bombing, the objective of the attacker is that the targeted user will accept the MFA request and provide the attackers access to accounts or the opportunity to run malicious code on a target system.

MFA Prompt Bombing in Action

Despite MFA prompt bombing being a well-known attack vector its popularity by attackers has only risen over the past two years. The most recent and most popular successful attack of MFA prompt bombing was executed by Lapsus$. The group highlighted the weaknesses of certain MFA options with more specific attention to MFA push approval notifications. Their recent successful attacks were achieved by bombing the user with MFA requests until the user approved the MFA request to make it stop.

A member of Lapsus$ wrote on the group’s official Telegram chat channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

User Experience and Security Balance

Due to the increasing amount of attention on MFA prompt bombing attacks, some organizations have decided to disable MFA push notifications for authentication requests and in place have enforced one-time passwords (OTP). While OTP is designed to make it much harder for attackers to gain access to sensitive information and resources it creates a worse user experience. OTP requires users to provide additional credentials such as a numeric code sent by SMS that would allow the user to gain access to the different resources that they are trying to access.

While OTP might be a bit more secure than push notifications, it worsens the user experience. Organizations need to find the right balance of user experience and security to ensure their users don’t experience MFA fatigue and don’t put the user and organization security at risk. Instead of disabling OTP, we believe the ideal method for organizations is to automatically deny the push MFA notifications when exceeding a certain number of notifications. The idea is that a user will only see a few MFA notifications, and their IT security team will see all the bombarding of MFA requests in the user’s activity logs.

Silverfort Tackles MFA Prompt Bombing

When balancing the right amount of security and user experience for MFA protection, push notifications is the recommended solution. However, it needs to be implemented with the right amount of security measures in place to ensure that users won’t fall to incoming identity-based attacks. At Silverfort we provide our customers with three different techniques to protect against incoming MFA prompt bombing attacks.

1. Adaptive blocking – Silverfort customers can ensure that after a certain amount of denied MFA requests in a short time frame, the user stops being prompted and is denied automatically. Customers can configure The adaptive blocking capability in the Silverfort admin console is always on by default and can be found under Settings and Company Info. Be sure to select parameters that would stop an attacker but wouldn’t lock out a user that accidentally denied an MFA request for too long.
2. Create risk-based policies – From version 4.1 and onwards of the Silverfort platform, users can create risked-based policies that will detect and prevent any abnormal MFA activity risks if they get an unusual number of MFA requests in a short period of time. By setting up risk-based policies from the Silverfort admin console, admins can ensure that unauthorized user access will be blocked from organizational resources.
3. Monitor for blocked MFA requests – Inside the Silverfort admin console or their SOC/SIEM, customers should monitor every access request of all users and machine accounts, especially the denied MFA requests. Silverfort automatically identifies malicious activity and risks of all user authentication requests and can provide detailed information on every denied MFA request. Admin users can monitor all access requests in the Silverfort platform by forwarding Syslog events to their SIEM or by creating daily reports from the Silverfort logs page.

By following and implementing our recommendations will highly increase resilience against incoming MFA prompt bombing attacks and would void an attacker’s ability to easily exploit their targets for further malicious access.

Silverfort has pioneered the first Identity Threat Protection platform purpose-built for real-time prevention, detection, and response to identity-based attacks that utilize compromised credentials to access targeted resources. Silverfort prevents these attacks through continuous monitoring, risk analysis, and real-time enforcement of Zero Trust access policies on every user, system, and environment on-prem and in the cloud. This includes end-to-end MFA protection, as well as continuous monitoring of all authentications both on-prem and in the cloud.

Learn more about Silverfort identity threat protection.