Full Report
Multi-factor authentication (MFA) was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn't log in without the second factor. While that logic was sound, attackers have now figured out that they don't need to steal the second factor: they just need the user to hand it over. If your workforce authenticates with
Analysis Summary
Based on the context provided and the evolving landscape of MFA-bypass attacks described, here is a summary of the primary technique being utilized:
# Tool/Technique: MFA Fatigue (Push Spamming) & Adversary-in-the-Middle (AiTM)
## Overview
MFA Fatigue is a social engineering technique where an attacker, having already obtained a user's primary credentials, repeatedly triggers MFA push notifications to the victim's device. The goal is to annoy or confuse the victim into eventually tapping "Approve," granting the attacker access without needing to intercept the physical second factor. This is often paired with Adversary-in-the-Middle (AiTM) phishing to steal session tokens directly.
## Technical Details
- **Type:** Social Engineering Technique / Exploitation of MFA
- **Platform:** Cross-platform (iOS, Android, Windows, macOS, SaaS platforms)
- **Capabilities:** Bypassing traditional MFA, Session Hijacking, Credential Harvesting
- **First Seen:** Increased prevalence circa late 2021/2022 (notably used in high-profile breaches like Uber and Microsoft)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing]
- [T1078 - Valid Accounts]
- **[TA0006 - Credential Access]**
- [T1621 - Multi-Factor Authentication Request Generation]
- [T1557 - Adversary-in-the-Middle]
- **[TA0005 - Defense Evasion]**
- [T1550.004 - Use Alternate Authentication Material: Web Session Cookie]
## Functionality
### Core Capabilities
- **Request Bombarding:** Automating hundreds of push notifications to a mobile device through the identity provider’s API.
- **Session Proxying:** Using AiTM proxies to capture session cookies in real-time, rendering the MFA requirement moot after the initial login.
### Advanced Features
- **Contextual Imitation:** Attackers often contact the victim via IT support channels (WhatsApp, SMS, Teams) simultaneously, claiming the notifications are part of a "system update" to encourage approval.
- **Geographic Spoofing:** Using VPNs or proxies to ensure the login attempt appears to come from a nearby geographical location to avoid "unusual login" alerts.
## Indicators of Compromise
- **File Hashes:** N/A (Technique-based; however, kits like **Evilginx2** or **Mamba** are often used).
- **Network Indicators:**
- `login.microsoftonline.com-auth[.]com` (Example defanged phishing domain)
- `verification-update[.]net` (Example defanged phishing domain)
- **Behavioral Indicators:**
- High volume of "Deny" logs followed by a single "Approve" log in MFA provider dashboards (Okta, Duo, MS Authenticator).
- Logins originating from unknown ISP/ASN ranges or known proxy/VPN exit nodes.
- Unexpected session token usage from an IP address differing from the original login IP.
## Associated Threat Actors
- **Lapsus$** (Active users of MFA Fatigue)
- **UNC2452 / APT29** (Nobelium)
- **Scattered Spider** (UNC3944)
## Detection Methods
- **Behavioral Detection:** Monitoring for "MFA Spam" patterns (e.g., >10 MFA requests in <1 minute followed by success).
- **Impossible Travel:** Detection of successful MFA logins from locations inconsistent with the user's known travel patterns.
- **User Agent Analysis:** Flagging logins that utilize mismatched or rare User Agent strings during the MFA handshake.
## Mitigation Strategies
- **Number Matching:** Configure MFA (like Microsoft Authenticator) to require the user to type a 2-digit number displayed on the login screen into the app.
- **FIDO2 / Hardware Keys:** Transition to phishing-resistant MFA (WebAuthn/FIDO2) which binds the auth session to the hardware and the specific URL.
- **Conditional Access:** Restrict logins to "Managed" or "Compliant" devices only.
- **MFA Rate Limiting:** Implement backend policies to lock accounts or alert SOC after X number of denied push requests.
## Related Tools/Techniques
- **Evilginx2/3:** An AiTM framework used to proxy login credentials and session cookies.
- **Modlishka:** A powerful reverse proxy for phishing.
- **Mamba MFA:** A specialized toolkit for bypassing modern authentication.
- **SIM Swapping:** An alternative method to intercept SMS-based factors.