MFA Spamming

In today's digital landscape, traditional password-only authentication systems have proven to be vulnerable to a wide range of cyberattacks. To safeguard critical business resources, organizations are increasingly turning to multi-factor authentication (MFA) as a more robust security measure. MFA requires users to provide multiple authentication factors to verify their identity, providing an additional layer of protection against unauthorized access.

However, cybercriminals are relentless in their pursuit of finding ways to bypass MFA systems. One such method gaining traction is MFA spamming attacks, also known as MFA fatigue, or MFA bombing. This article delves into MFA spamming attacks, including the best practices to mitigate this growing threat.

What is MFA spamming?

MFA spamming refers to the malicious act of inundating a target user's email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to overwhelm the user with notifications, in the hopes that they will inadvertently approve an unauthorized login. To execute this attack, hackers require the target victim's account credentials (username and password) to initiate the login process and trigger the MFA notifications.

MFA spamming attack techniques

There are various methods employed to execute MFA spamming attacks, including:

  1. Utilizing automated tools or scripts to flood the targeted victims' devices with a high volume of verification requests.
  2. Employing social engineering tactics to deceive the target user into accepting a verification request.
  3. Exploiting the API of the MFA system to send a substantial number of false authentication requests to the target user.

By employing these techniques, attackers aim to exploit any unintentional approvals, ultimately gaining unauthorized access to sensitive information or accounts.

Examples of MFA spamming attack

Hackers increasingly leverage MFA spamming attack to bypass MFA systems. Here are two noticeable cyberattacks executed using this technique:

  • Between March and May 2021, hackers circumvented the Coinbase company's SMS multi-factor authentication, which is considered one of the largest cryptocurrency exchange companies worldwide, and stole cryptocurrencies from over 6,000 customers
  • In 2022, hackers flooded Crypto.com customers with a large number of notifications to withdraw money from their wallets. Many customers approve the fraudulent transaction requests inadvertently, leading to a loss of 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other cryptocurrencies

How to mitigate MFA spamming attacks

Mitigating MFA spamming attacks necessitates the implementation of technical controls and the enforcement of relevant MFA security policies. Here are some effective strategies to prevent such attacks.

Enforce strong password policies and block breach passwords

For the MFA spamming attack to be successful, the attacker must first obtain the login credentials of the target user. Hackers employ various methods to acquire these credentials, including brute force attacks, phishing emails, credential stuffing, and purchasing stolen/breached credentials from the dark web.

The first line of defense against MFA spamming is securing your users' passwords. Specops Password Policy with Breached Password Protection helps prevent users from utilizing compromised credentials, thereby reducing the risk of attackers gaining unauthorized access to their accounts.

End-user training

Your organization's end-user training program should emphasize the importance of carefully verifying MFA login requests before approving them. If users encounter a significant number of MFA requests, it should raise suspicion and serve as a potential clue of a targeted cyberattack. In such cases, it is crucial to educate users about the immediate action they should take, which includes resetting their account credentials as a precautionary measure and notifying security teams. By leveraging a self-service password reset solution like Specops uReset, end-users gain the ability to swiftly change their passwords, effectively minimizing the window of opportunity for MFA spamming attacks.

Rate limiting

Organizations should implement rate-limiting mechanisms that restrict the number of authentication requests allowed from a single user account within a specific time frame. By doing so, automated scripts or bots are unable to overwhelm users with an excessive number of requests.

Monitoring and alerting

Implement robust monitoring systems to detect and alert on unusual patterns of MFA requests. This can help identify potential spamming attacks in real-time, and allow for immediate action to be taken.

Key takeaways

To effectively protect against MFA spamming, organizations must prioritize robust security practices. One effective tactic is to strengthen password policies and block the use of compromised passwords. Implementing a solution like Specops Password Policy's Breached Password Protection feature can help organizations achieve this.

Try it free here and see how you can enhance your password security and safeguard your organization against MFA spamming attacks.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.