Stop MFA Fatigue with Additional Context and Number Matching for Microsoft Authenticator
Last week, Uber confirmed a major cybersecurity attack that compromised its internal communications and engineering systems. The company believes that someone affiliated with the hacking group Lapsus$ leveraged the MFA fatigue attack technique to compromise an Uber employee account.
According to the New York Times, the hackers social engineered the company’s worker after discovering his WhatsApp number. The intruders sent a direct message to the employee pretending to be an Uber IT staffer. They used the phishing technique to steal passwords and repeatedly sent multifactor authentication (MFA) login notifications. The Uber employee eventually accepted one of those login requests.
After gaining initial access, the attackers sent messages to a company-wide Slack channel announcing the massive security breach and reconfigured Uber’s OpenDNS. The screenshots revealed that the hackers had access to various internal systems, including G Suite accounts, Amazon Web Services, and code repositories.
What is MFA fatigue?
An MFA fatigue attack is “the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving.” Threat actors are increasingly using this technique to target large organizations, such as Microsoft and Cisco.
How to enable additional context in the Azure AD portal to block MFA fatigue attacks
Security researchers have advised organizations to add additional context (such as the application name and geographic location) in MFA push notifications to prevent MFA fatigue attacks. It is also recommended to combine additional context with number matching to boost sign-in security.
IT admins can enable additional context in the Azure AD portal by following the steps listed below:
- Log in to the Azure AD portal and navigate to Security >> Authentication methods >> Microsoft Authenticator.
- Select the Basics tab, click the Yes and All users options, and then set the Authentication mode to Any.
- In the Configure tab, navigate to the “Show application name in push and passwordless notifications” section and change its Status to Enabled. Choose users to include or exclude from the policy and click the Save button.
- Repeat the same process for “Show geographic location in push and passwordless notifications.”
It is important to note that IT admins can only enforce this policy on Microsoft Authenticator users. This means that those who have not been enrolled won’t be able to see the application name or geographic location. Moreover, additional context supported is not available for Active Directory Federation Services (AD FS) and Network Policy Server (NPS).
More in Security
Git Releases New Security Updates to Block Remote Code Execution Attacks
Jan 18, 2023 | Rabia Noureen
PyTorch Discloses Internal Dependency Compromised with Malicious Code
Jan 4, 2023 | Rabia Noureen
How to Create Conditional Access Policies using PowerShell
Jan 4, 2023 | Liam Cleary
Bitwarden – An Open-Source Alternative to LastPass for Business and Personal Use
Jan 3, 2023 | Russell Smith
LastPass Confirms Hackers Stole Personal Data and Encrypted Password Vaults
Dec 23, 2022 | Rabia Noureen
How Does eDiscovery Work Within Microsoft 365?
Dec 23, 2022 | Liam Cleary
Most popular on petri