Social engineering is a common technique used by threat actors to gain access to corporate credentials and breach an organization’s network. To combat this, organizations have increasingly adopted multi-factor authentication to prevent users from logging in without an additional form of verification. As a result, threat actors have started counteracting this technical control with a technique known as MFA Fatigue.
When an organization’s MFA configuration includes push notifications, a prompt will be displayed on the user’s mobile device when an attempt to log in with their credentials is made. This prompt will contain an approve or deny button; if the approve button is pushed, the MFA verification is successful, and the user’s account is logged in. MFA Fatigue occurs when a threat actor runs a script to continually log in with the stolen credentials, thus causing an endless amount of push notifications to be sent to the user’s device. The goal of this technique is to continually harass the user with MFA notifications until the user becomes fatigued enough to click approve. In some cases, the threat actor will also call the user pretending to be IT Support for the organization in order to convince them to approve the MFA prompt. Once the user approves the prompt, the threat actor gains access to the organization’s network.
This social engineering technique has been proven to be very effective in breaching large and well-known organizations by threat actor groups such as Lapsus$. Due to this, it is likely that other threat actor groups will employ this technique as an effective method for bypassing MFA in a target organization.