There is no silver bullet to cybersecurity, and as important as Multi-Factor Authentication (MFA) is, there are still ways around it. One particular attack vector on email has been noticeably increasing this summer: MFA Fatigue Attacks.
We have seen and heard of increased attempts to get access to accounts that leverage push-based notifications to verify a user’s identity. Luckily, there are some ways to stop this that we’ll dig into today.
First, just to be clear: YES, you do still need to have MFA in place despite its risks!
Layers of security (Defense-in Depth) are a critical part of a good cybersecurity approach. In fact, because there is no single solution, no silver bullet, that’s why these layers are so important to have. While cybersecurity can often come at a cost of inconvenience, it’s a necessary step to take to make it really inconvenient for would-be attackers.
How does MFA Fatigue work?
Not all MFA is equal. Some methods may have you look up a code in an app on your device, while others may text or email you a link or code. (Texts and emails can be intercepted, so we recommend using an app whenever possible.)
Another method that is commonly used by Microsoft is through a push notification (this is going away soon, see more here: Microsoft Changes MFA Practices: Our Thoughts).
In this form of MFA, a link is sent to a user to have them verify they are them. It may come as an email, or it may be a pop-up you receive within the application you’re trying to access through another device. It’s very convenient when you are already using a service on another device and are already logged in – but as we said above: Convenience and Cybersecurity are on opposites sides of the same spectrum, and you often cannot gain convenience without giving up security.
When an attacker has your credentials and tries to login, unsuspecting users may wonder:
- Why is this system asking me to log in again?
- Is it just now picking up on my other activity?
- Why isn’t this program recognizing me?
That may evolve as the bad actor continues to try to authenticate. Those little pop ups, texts, or emails may become annoying and disruptive. Maybe it’s happening in the middle of the night on your phone and you just want to get back to sleep and blindly hit “Accept” like it’s your snooze button.
Or, some people just get worn out and give in – hence MFA Fatigue.
Read more here: MITRE|ATT&CK – Multi-Factor Authentication Request Generation
What happens when they get in?
Here’s the concerning part of this. When we think of a cyber-attack, we imagine ransomware or worse. But someone that is unauthorized that has access to see or copy information, even if it happened accidentally, is still a breach.
For your email system, we often don’t know if they were able to download everything, read through emails, or more. Only an investigator can prove what happened (and it’s very hard to prove what DIDN’T happen).
Most often, we see that a rule is created to forward mail to the attacker. They may even use your email to launch other attacks. Sometimes they may sit and wait for something juicy to come in, like an email about a financial transaction, that they can intercept.
Either way, this is a breach of a critical business tool and there are laws in all 50 states that require it to be properly researched, documented, and reported.
What should you do to prevent and recover from this attack?
To prevent this from being as likely:
- Educate users on how these attacks happen and what to watch for by ensuring they have regular security awareness training that is both thorough and up to date.
- Use MFA on everything – and look for more effective forms of MFA, like number matching in an app.
- Set rules in your email system to not allow messages to be forwarded outside of your own domain for non-admins.
- Many attacks come from phishing emails, so use Email Security Tools like GreatHorn to be able to mitigate this risk, or at minimum, identify who interacted with malicious/suspicious links.
- Continue to practice good password usage, even when MFA is in place:
- Create longer passwords
- Create random generated passwords
- Don’t re-use or share passwords across more than one system
- Update passwords, especially if you see MFA Fatigue attacks coming in
- Try to use a password manager when you can
- Get reports of what passwords you use today that are known to be compromised
If you think you have been victim of an attack like this, there are a few things you should do immediately:
- Reset passwords
- Check for rules and disable any that were not set up by the user
- Check into sent items (sometimes the attacker may hide things in other folders, so dig around)
- Call your insurance provider if you have cyber liability
- Reach out to vendors like Rhodian Group, where our Cybersecurity division has experienced analysts that can help investigate what happened and document it appropriately
Above all else, make sure you have an experienced and trusted partner to help you.
Rhodian is here to help!
Submit the contact form at the bottom of the page to get in touch with our team. We will help you uncover risks you may not be aware of, and share tips and recommendations on how to be more resilient in the face of attacks and more prepared to overcome them.
Disclaimer: The appearance of external hyperlinks in our blogs does not constitute endorsement by Rhodian Group of the linked websites, or the information, products, or services contained therein. Where not stated otherwise, Rhodian Group does not own or maintain any of the external websites that are linked in our blogs.
Please let us know if you believe any existing hyperlinks are inappropriate.