Multi-factor authentication (MFA) is a foundational security control, but attackers are increasingly bypassing it using MFA Push Spray (also called MFA fatigue attacks). This technique floods users with authentication prompts until they accidentally approve one, granting attackers access. For CISOs, the rise of Phishing-as-a-Service (PhaaS) tools like MFASweep makes this a critical threat to address.
How MFA Push Spray Attacks Work
Attackers begin by stealing credentials through phishing, breaches, or password spraying. Once they have valid credentials, they trigger a barrage of MFA push notifications (e.g., via Microsoft Authenticator or Duo). The goal is to overwhelm the victim, who may approve a request out of frustration or confusion. Research shows attackers often time these prompts during peak hours (8–9 AM) to blend in with legitimate activity.
Key Attack Vectors and Tools
Automated tools like MFASweep streamline MFA push attacks by testing MFA policies for weaknesses. Attackers may also impersonate IT support, pressuring users to approve requests. Unlike brute-force attacks, MFA Push Spray exploits human behavior rather than technical flaws.
Mitigation Strategies for Security Teams
To defend against MFA fatigue, organizations should:
- Enforce MFA prompt limits (e.g., block requests after 3 denials).
- Adopt FIDO2 keys or smart cards to eliminate push-based vulnerabilities.
- Train users to recognize and report suspicious MFA prompts.
- Monitor logs for anomalies like rapid geographic login shifts.
Relevance to Red and Blue Teams
Red Teams can simulate MFA Push Spray to test organizational resilience. Blue Teams should deploy conditional access policies (e.g., require MFA only for unfamiliar locations). SOC analysts must watch for patterns—such as repeated MFA failures followed by a sudden success—that indicate a breach.
Conclusion
While MFA remains essential, MFA Push Spray underscores its weaknesses when attackers target human psychology. Combining technical controls (e.g., FIDO2) with user awareness is key. As PhaaS platforms proliferate, expect these attacks to grow in sophistication.
