Dura-Tech joins together with LeadingIT Learn more

Return to blog technology - mfa prompt bombing
September 28, 2022 | By christa
Share
Share

Understanding and Avoiding MFA Prompt Bombing

Multi-factor authentication (MFA) is being implemented by many businesses to improve their security, but hackers are constantly developing new methods of bypassing this measure. Despite the widespread adoption of MFA, hackers have returned their focus to the process’s weakest link—the human element—developing novel social engineering-based intrusion strategies.

One of the most compelling examples of how not all MFA solutions are secure is the practice of “prompt bombing,” which involves a user repeatedly clicking on an MFA prompt, leading to users getting multiple authentication requests. This social engineering tactic has recently gained a lot of attention due to its successful deployment by cybercriminal groups. Read on to learn more.

MFA Prompt Bombing In Recent News

According to new information revealed by Uber, the Lapsus$ hacking organization was responsible for the large breach that occurred at Uber this month (September 2022). Experts say the incident shows the dangers of putting too much faith in multi-factor authentication and the unmanaged risks associated with cloud services.

With the same tactic, Lapsus$ hackers allegedly stole 37GB of source code for Bing, Cortana, and other projects from Microsoft’s internal Azure DevOps server and released it to the public in March 2022.

In early 2021, also using MFA prompt bombing, a hacker known as APT 29 infiltrated SolarWinds’ build infrastructure for its Orion network monitoring software, allowing it to spread a backdoor to 18,000 clients in the public and private sectors.

All of these attacks bypassed MFA because they tricked users into thinking they were acknowledging an MFA request.

How To Avoid MFA Prompt Bombing Attacks

Strategies for MFA bombing include:

  • Bombarding the recipient with MFA requests in the hopes that they’ll accept one of them and the ordeal will end.
  • Sending less frequent (yet still effective) reminders, such as one or two daily.
  • Pretending to be from the company and calling targets to inform them they need to submit an MFA request as part of a routine process.

With these strategies in mind, it’s vital to acknowledge multiple, unintentional requests because it’s a sign that something isn’t right.

Here are a few more tips to avoid an MFA prompt bombing attack:

  • Forgo unlimited retry attempts: Many out-of-the-box MFA solutions enable limitless attempts. But two failed authentications should be a red flag. Once questionable behavior is recognized, lock users, switch to another MFA method (if available), and/or issue alerts.
  • Include more context: Most authenticator apps provide minimal context regarding the request users must authorize. Providing the user’s location, device details, and application context while asking for approval can alert them to a problem so they can decline the request and report it.
  • Verify new and unknown MFA devices: With user-level access, attackers can add devices to a user’s MFA profile, allowing them to quickly gain and retain network access by approving MFA pushes or generating codes on actor-controlled devices. Review all new and unknown devices registered to your MFA service regularly.

MFA Isn’t Immune To Attacks

MFA is a popular means of securing networks and individual accounts, but it’s not immune to cyber-attacks. Therefore, organizations must thoroughly vet their MFA solutions to minimize this threat. Most importantly, do NOT ignore multiple unintentional requests. It means that something isn’t right and that the business is at risk of a cyber-attack by means of MFA prompt bombing.


LeadingIT offers 24/7, all-inclusive, fast and friendly technology and cybersecurity support for nonprofits, manufacturers, schools, accounting firms, religious organizations, government, and law offices with 20-200 employees across the Chicagoland area.

Let Us Be Your Guide In Cybersecurity Protections
And IT Support With Our All-Inclusive Model.

Meet with us