MFA has become the industry standard for all authentication where access to the network from external locations is required. It’s not uncommon to see articles online stating that “MFA prevents 99% of all credential attacks”. However, cybercriminals are always looking for ways to penetrate their target networks’ defences and MFA is no exception.
If you’re a business owner, the advice you’ve been given around MFA likely is “even if you gave up your credentials, an attacker still could not log in without your mobile phone“. And, to this day, this is true.
So how exactly can someone bypass your MFA security in your organization?
Well, it’s pretty simple; your users are only human. Think of a time when you’ve focused on achieving a task on your computer. How often have you clicked “Next” or “OK” without reading the pop-up? Well, this is the phycology that attackers are exploiting with MFA. It’s called “MFA Fatigue”. If an attacker has one of your user’s login credentials and attempts to sign in enough times (10, 50, or 100 or more), then the outcome is that the user’s mobile device is repeatedly pinging and doesn’t stop. The user naturally hits approve to prevent the annoying sound. The less security-conscious user will think it’s just a glitch with the app and think nothing of it.
The result is that an attacker has bypassed two authentication factors and could be anywhere in the world, now with a full copy of your mailbox and a session connected to your mailbox to do as they please.
What can we do to protect against this kind of attack?
In cyber security, it is widely known that the weakest link in your security posture is almost always your people. Therefore, it’s critical to ensure that you regularly train and inform your staff of standard IT practices. There are many ways to do this, but I’d recommend making security a part of your company culture, ethics, standards and way of life. Security is everyone’s job, whether you’re the CEO or the cleaner. Everyone is a target.
What can we do the prevent this kind of attack?
This depends on the technical controls you have at your disposal. If your emails are hosted in Office 365, you could leverage Intune to apply conditional access policies for your organisations. Conditional access allows you to configure policies to only allow logins to accounts when specific conditions are met; for example, the login must be from the UK, block logins using legacy authentication, or block sign-ins from risky IP addresses.
Another option is to reconfigure your allowed MFA methods only to accept a PIN so that the user must type the PIN in manually. This prevents the push flood from happening in the first place. However, it can be a less pleasant user experience having to open an app and read than type the number in.