CINXE.COM

MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications | The Daily Swig

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta content="IE=edge" http-equiv="X-UA-Compatible"> <meta content="width=device-width, initial-scale=1" name="viewport"> <title>MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications | The Daily Swig</title> <meta content="Social engineering technique confuses victims to gain entry to their accounts" name="description"> <!-- Twitter data --> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@DailySwig"> <meta name="twitter:title" content="MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications"> <meta name="twitter:description" content="Social engineering technique confuses victims to gain entry to their accounts"> <meta name="twitter:creator" content="@JesscaHaworth"> <meta name="twitter:image" content="https://portswigger.net/cms/images/52/49/5466-twittercard-220216-authenticator-body-text.jpg"> <!-- Open Graph data --> <meta property="og:title" content="MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications" /> <meta property="og:description" content="Social engineering technique confuses victims to gain entry to their accounts"> <meta property="og:type" content="article" /> <meta property="og:url" content="https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" /> <meta property="og:image" content="https://portswigger.net/cms/images/52/49/5466-twittercard-220216-authenticator-body-text.jpg" /> <meta property="og:site_name" content="The Daily Swig | Cybersecurity news and views" /> <meta property="article:published_time" content="2022-02-16T15:40:00" /> <link href="https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" rel="canonical"/> <link href="https://portswigger.net/daily-swig/amp/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" rel="amphtml"/> <link href="/content/images/logos/favicon.ico" rel="icon" type="image/x-icon"/> <link href="/content/images/logos/apple-touch-icon.png" rel="apple-touch-icon"> <link href="/content/psdailyswig.css" rel="stylesheet" type="text/css"> <link rel="preload" href="/content/fonts/ps-icons-small/ps-icons-small.woff?td2uot" as="font" crossorigin="anonymous"> <link rel="preload" href="/content/fonts/ps-main/ps-icons.woff?l1la2n" as="font" crossorigin="anonymous"> <script nonce="xE+Rfx6OXvvWLJXrvlUflSsfR/qq2hdm"> const dimensionName = "dimension2"; const userRef = ""; </script> <script nonce="xE+Rfx6OXvvWLJXrvlUflSsfR/qq2hdm"> (function(window, document, dataLayerName, id) { function stgCreateCookie(a,b,c){var d="";if(c){var e=new Date;e.setTime(e.getTime()+24*c*60*60*1e3),d=";expires="+e.toUTCString()}document.cookie=a+"="+b+d+"; path=/"} var isStgDebug=(window.location.href.match("stg_debug")||document.cookie.match("stg_debug"))&&!window.location.href.match("stg_disable_debug"); stgCreateCookie("stg_debug",isStgDebug?1:"",isStgDebug?14:-1); var qP=[];dataLayerName!=="dataLayer"&&qP.push("data_layer_name="+dataLayerName),isStgDebug&&qP.push("stg_debug"); var qPString=qP.length>0?("?"+qP.join("&")):""; document.write('<nonce-script src="https://ps.containers.piwik.pro/'+id+'.sync.js' + qPString + '" nonce="xE+Rfx6OXvvWLJXrvlUflSsfR/qq2hdm"></' + 'nonce-script>'); })(window, document, 'dataLayer', '287552c2-4917-42e0-8982-ba994a2a73d7'); window.dataLayer = window.dataLayer || []; window.dataLayer.push({ customerId : '', }); </script> </head> <body class="theme-dailyswig"> <script nonce="xE+Rfx6OXvvWLJXrvlUflSsfR/qq2hdm"> (function(window, document, dataLayerName, id) { window[dataLayerName]=window[dataLayerName]||[],window[dataLayerName].push({start:(new Date).getTime(),event:"stg.start"}); var scripts=document.getElementsByTagName('script')[0],tags=document.createElement('script'); function stgCreateCookie(a,b,c){var d="";if(c){var e=new Date;e.setTime(e.getTime()+24*c*60*60*1e3),d=";expires="+e.toUTCString()}document.cookie=a+"="+b+d+"; path=/"} var isStgDebug=(window.location.href.match("stg_debug")||document.cookie.match("stg_debug"))&&!window.location.href.match("stg_disable_debug"); stgCreateCookie("stg_debug",isStgDebug?1:"",isStgDebug?14:-1); var qP=[];dataLayerName!=="dataLayer"&&qP.push("data_layer_name="+dataLayerName),tags.nonce="xE+Rfx6OXvvWLJXrvlUflSsfR/qq2hdm",isStgDebug&&qP.push("stg_debug"); var qPString=qP.length>0?("?"+qP.join("&")):""; tags.async=!0,tags.src="https://ps.containers.piwik.pro/"+id+".js"+qPString, scripts.parentNode.insertBefore(tags,scripts); !function(a,n,i){a[n]=a[n]||{};for(var c=0;c<i.length;c++)!function(i){a[n][i]=a[n][i]||{},a[n][i].api=a[n][i].api||function(){ var a=[].slice.call(arguments,0);"string"==typeof a[0]&&window[dataLayerName].push({event:n+"."+i+":"+a[0],parameters:[].slice.call(arguments,1)})}}(i[c])}(window,"ppms",["tm","cm"]); })(window, document, 'dataLayer', '287552c2-4917-42e0-8982-ba994a2a73d7'); </script> <section class="banner-container dailyswig" id="top"> <div class="container"> <div class="linkscontainer-left" id="portswigger-logo-container"> <a class="is-icon light-blue-hover" href="/" > <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18"> <path d="M0 0h18v18H0z" fill="#f63"/> <path d="M10 18H8v-2.8l2.7-3.3H8V8H3.3l4.8-5.8V0H10v2.9L7.3 6H10V10h4.7L10 15.8z" fill="#fff"/> </svg> </a> </div> <div class="linkscontainer" id="icons-container"> <a class="aboutlink" href="/daily-swig/about" ></a> <a class="is-icon light-blue-hover" href="https://twitter.com/DailySwig" > <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 19.998"> <path d="M22.245,2.835a3.066,3.066,0,0,1-.923.118v-.1A7.616,7.616,0,0,0,23.169.663c.074-.254,0-.336,0-.345L21.608,1l-1.293.609h0A5.128,5.128,0,0,0,16.52,0a4.69,4.69,0,0,0-4.913,4.416A7.015,7.015,0,0,0,11.8,6.078c0,.127,0-.127,0,0A14.883,14.883,0,0,1,5.818,4.261C1.847,2.208,1.625.79,1.625.79,1.007,1.462.7,3.7,1.321,5.451A5.728,5.728,0,0,0,3.1,7.578h0A4.094,4.094,0,0,1,1.847,7.36a2.715,2.715,0,0,1-.923-.445c-.379.963.388,2.726,1.727,3.916A7.026,7.026,0,0,0,4.839,12l-2.216.064c-.12,2.217,4.525,3.526,4.525,3.526h0A7.457,7.457,0,0,1,2.53,17.327,8.651,8.651,0,0,1,0,16.946,11.857,11.857,0,0,0,8.237,19.99c8.311-.445,12.974-7.769,13.2-14.956h0a5.9,5.9,0,0,0,1.219-1.054A8.831,8.831,0,0,0,24,2.162,13.006,13.006,0,0,1,22.245,2.835Z" transform="translate(0 0.005)" fill="#324d5c"/> </svg> </a> <a class="is-icon light-blue-hover" href="https://www.facebook.com/DailySwig/" > <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20"> <path d="M19.091,0H.909A.909.909,0,0,0,0,.909V19.091A.909.909,0,0,0,.909,20h9.764V12.291H8.091V9.227h2.582V6.836a4.064,4.064,0,0,1,4.055-4.064h2.191v3.2H14.727a.855.855,0,0,0-.855.864V9.227h3.045l-.473,3.064H13.873V20h5.218A.909.909,0,0,0,20,19.091V.909A.909.909,0,0,0,19.091,0Z" fill="#324d5c"/> </svg> </a> <a class="is-icon light-blue-hover" href="https://www.linkedin.com/company/the-daily-swig" > <svg xmlns="http://www.w3.org/2000/svg" width="20" height="24" viewBox="0 0 24 24"> <path fill="#324d5c" d="M0 0v24h24v-24h-24zm8 19h-3v-11h3v11zm-1.5-12.268c-.966 0-1.75-.79-1.75-1.764s.784-1.764 1.75-1.764 1.75.79 1.75 1.764-.783 1.764-1.75 1.764zm13.5 12.268h-3v-5.604c0-3.368-4-3.113-4 0v5.604h-3v-11h3v1.765c1.397-2.586 7-2.777 7 2.476v6.759z"/> </svg> </a> <a class="is-icon light-blue-hover" href="mailto:dailyswig@portswigger.net" > <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 29 20"> <path d="M14.312,11.14,1.41,0H27.866L14.973,11.14A.506.506,0,0,1,14.312,11.14Z" transform="translate(-0.129)" fill="#324d5c"/> <path d="M2.39,16.786,0,18.84V1.43l10.1,8.7Z" transform="translate(0 -0.131)" fill="#324d5c"/> <path d="M24.487,18.123l3.452,2.989H1.42l3.869-3.344,6.342-5.452,1.658,1.436,1.06.909a.506.506,0,0,0,.661,0l1.06-.909,1.694-1.463Z" transform="translate(-0.13 -1.113)" fill="#324d5c"/> <path d="M30.99,1.45v17.3l-1.863-1.609L20.95,10.105Z" transform="translate(-1.99 -0.132)" fill="#324d5c"/> </svg> </a> <a class="is-icon light-blue-hover" href="/daily-swig/rss" > <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20"> <path d="M16.173,20H20A20,20,0,0,0,14.136,5.864,20,20,0,0,0,0,0V3.818A16.209,16.209,0,0,1,16.173,20Z" transform="translate(0)" fill="#324d5c" fill-rule="evenodd"/> <path d="M0,11.3a9.3,9.3,0,0,1,6.615,2.726,9.368,9.368,0,0,1,2.726,6.624h3.834A13.193,13.193,0,0,0,9.3,11.324,13.157,13.157,0,0,0,0,7.48Z" transform="translate(0 -0.673)" fill="#324d5c" fill-rule="evenodd"/> <path d="M.781,20.669A2.622,2.622,0,1,0,0,18.8a2.626,2.626,0,0,0,.781,1.872Z" transform="translate(0 -1.468)" fill="#324d5c" fill-rule="evenodd"/> </svg> </a> </div> <div class="titlecontainer"> <a class="banner-main" href="/daily-swig" > <img alt="The Daily Swig" src="/content/images/banners/the-daily-swig-logo.svg"/> </a> </div> </div> </section> <div class="mega-nav-dailyswig-wrapper"> <input type="checkbox" id="daily-swig-hamburger-mobile" class="hamburger-input-mobile"> <div class="hamburger-menu-mobile"> <label class="hamburger-menu-label header-hidden" for="daily-swig-hamburger-mobile"> <span class="hamburger-layers"></span> </label> </div> <div class="mega-nav"> <input type="radio" id="daily-swig-mega-nav-close" class="mega-nav-input-close" name="daily-swig-mega-nav-input"> <input type="radio" id="daily-swig-mega-nav-label-1" class="mega-nav-input-1" name="daily-swig-mega-nav-input"> <input type="radio" id="daily-swig-mega-nav-label-2" class="mega-nav-input-2" name="daily-swig-mega-nav-input"> <input type="radio" id="daily-swig-mega-nav-label-3" class="mega-nav-input-3" name="daily-swig-mega-nav-input"> <input type="radio" id="daily-swig-mega-nav-label-4" class="mega-nav-input-4" name="daily-swig-mega-nav-input"> <input type="radio" id="daily-swig-mega-nav-label-5" class="mega-nav-input-5" name="daily-swig-mega-nav-input"> <label for="daily-swig-mega-nav-close" class="mega-nav-close"></label> <label class="mega-nav-label mega-nav-label-1" for="daily-swig-mega-nav-label-1"> <span class="mega-nav-text">Latest threats</span> <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43"> <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path> </svg> </label> <label class="mega-nav-label mega-nav-label-2" for="daily-swig-mega-nav-label-2"> <span class="mega-nav-text">Bug bounty</span> <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43"> <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path> </svg> </label> <label class="mega-nav-label mega-nav-label-3" for="daily-swig-mega-nav-label-3"> <span class="mega-nav-text">For devs</span> <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43"> <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path> </svg> </label> <label class="mega-nav-label mega-nav-label-4" for="daily-swig-mega-nav-label-4"> <span class="mega-nav-text">Deep dives</span> <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43"> <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path> </svg> </label> <label class="mega-nav-label mega-nav-label-6" for="daily-swig-mega-nav-label-5"> <span class="mega-nav-text">More</span> <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43"> <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path> </svg> </label> <a class="mega-nav-link header-hidden" href="https://portswigger.net/daily-swig/about"><span class="mega-nav-text">About</span></a> <div class="mega-nav-container"> <div class="mega-nav-content mega-nav-content-1"> <div class="section-white-medium-no-padding"> <div class="container-columns-66-percent-right"> <div> <div class="container-columns"> <a href="https://portswigger.net/daily-swig/vulnerabilities" class="no-border">Web security vulnerabilities</a> <a href="https://portswigger.net/daily-swig/network-security" class="no-border">Network security vulnerabilities</a> <a href="https://portswigger.net/daily-swig/cloud-security" class="no-border">Cloud security</a> <a href="https://portswigger.net/daily-swig/zero-day" class="no-border">Zero-day news</a> <a href="https://portswigger.net/daily-swig/supply-chain-attacks" class="no-border">Supply chain attacks</a> </div> <a href="https://portswigger.net/daily-swig/vulnerabilities" class="chevron-after">View all web security news</a> </div> <div> <div class="container-cards-lists-white"> <a href="https://portswigger.net/daily-swig/prototype-pollution-project-yields-another-parse-server-rce"> <p><strong>Prototype pollution</strong></p> <p>Prototype pollution project yields another Parse Server RCE</p> <img src="/daily-swig-mega-nav/images/latestthreats.png" alt="Prototype-pollution"> </a> </div> </div> </div> </div> </div> <div class="mega-nav-content mega-nav-content-2"> <div class="section-white-medium-no-padding"> <div class="container-columns-66-percent-right"> <div> <div class="container-small"> <a href="https://portswigger.net/daily-swig/bug-bounty" class="no-border">Bug bounty news</a> <a href="https://portswigger.net/daily-swig/vdp" class="no-border">VDPs</a> <a href="https://portswigger.net/daily-swig/bug-bounty-radar" class="no-border">Bug Bounty Radar</a> </div> <a href="https://portswigger.net/daily-swig/bug-bounty" class="chevron-after">View all bug bounty news</a> </div> <div> <div class="container-cards-lists-white"> <a href="https://portswigger.net/daily-swig/bug-bounty-radar-the-latest-bug-bounty-programs-for-february-2023"> <p><strong>Bug Bounty Radar</strong></p> <p>The latest programs for February 2023</p> <img src="/daily-swig-mega-nav/images/bug-bounties.png" alt="Bug bounties"> </a> </div> </div> </div> </div> </div> <div class="mega-nav-content mega-nav-content-3"> <div class="section-white-medium-no-padding"> <div class="container-columns-66-percent-right"> <div> <div class="container-columns"> <a href="https://portswigger.net/daily-swig/devsecops" class="no-border">DevSecOps</a> <a href="https://portswigger.net/daily-swig/security-best-practices" class="no-border">Security best practices</a> <a href="https://portswigger.net/daily-swig/dev-stack-tech" class="no-border">Dev stack tech</a> </div> <a href="https://portswigger.net/daily-swig/devsecops" class="chevron-after">View all dev related news</a> </div> <div> <div class="container-cards-lists-white"> <a href="https://portswigger.net/daily-swig/all-day-devops-third-of-log4j-downloads-still-pull-vulnerable-version-despite-threat-of-supply-chain-attacks"> <p><strong>All Day DevOps</strong></p> <p>AppSec engineer keynote says Log4j revealed lessons were not learned from the Equifax breach</p> <img src="/daily-swig-mega-nav/images/devsecops.png" alt="DevOps"> </a> </div> </div> </div> </div> </div> <div class="mega-nav-content mega-nav-content-4"> <div class="section-white-medium-no-padding"> <div class="container-columns-66-percent-right"> <div> <div class="container-small"> <a href="https://portswigger.net/daily-swig/deep-dives" class="no-border">Deep dives</a> <a href="https://portswigger.net/daily-swig/interviews" class="no-border">Interviews</a> </div> <a href="https://portswigger.net/daily-swig/deep-dives" class="chevron-after">View all of the latest features</a> </div> <div> <div class="container-cards-lists-white"> <a href="https://portswigger.net/daily-swig/a-rough-guide-to-launching-a-career-in-cybersecurity"> <p><strong>Infosec beginner?</strong></p> <p>A rough guide to launching a career in cybersecurity</p> <img src="/daily-swig-mega-nav/images/deepdives.png" alt="cyber-career"> </a> </div> </div> </div> </div> </div> <div class="mega-nav-content mega-nav-content-5"> <div class="section-white-medium-no-padding"> <div class="container-columns-66-percent-right"> <div> <div class="container-small"> <a href="https://portswigger.net/daily-swig/industry-news" class="no-border">Industry news</a> <a href="https://portswigger.net/daily-swig/enterprise" class="no-border">Enterprise security news</a> <a href="https://portswigger.net/daily-swig/hacking-tools" class="no-border">Web hacking tools</a> <a href="https://portswigger.net/daily-swig/events" class="no-border">Events</a> </div> <a href="https://portswigger.net/daily-swig/industry-news" class="chevron-after">View all infosec industry news</a> </div> <div> <div class="container-cards-lists-white"> <a href="https://portswigger.net/daily-swig/cybersecurity-conferences-a-rundown-of-online-in-person-and-hybrid-events"> <p><strong>Cybersecurity conferences</strong></p> <p>A schedule of events in 2022 and beyond</p> <img src="/daily-swig-mega-nav/images/more-topics.jpg" alt="More topics"> </a> </div> </div> </div> </div> </div> </div> </div> </div> <input id="MediaId" name="MediaId" type="hidden" value="01B5D47E1FAE610F870AACD74DADDEAA" /> <section class="maincontainer dailyswig"> <div class="container is-flex margin-bottom-m"> <div class="maincol"> <div class="post-card"> <h1>MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications</h1> <div class="post-additionalinfo"> <a href="/daily-swig/by/jessica-haworth-elsayed"> Jessica Haworth-Elsayed</a> 16 February 2022 at 15:40 UTC <br> Updated: 18 February 2022 at 14:24 UTC </div> <div class="post-labels"> <a href="/daily-swig/2fa"> <span>2FA</span></a> <a href="/daily-swig/research"> <span>Research</span></a> <a href="/daily-swig/social-engineering"> <span>Social Engineering</span></a> </div> <div class="sharebuttoncontainer is-smallicons"> <a href="https://twitter.com/share?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fmfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications&text=MFA+fatigue+attacks%3a+Users+tricked+into+allowing+device+access+due+to+overload+of+push+notifications+%7c+The+Daily+Swig%0A" target="_blank"> <span class="share-twitter "> <span class="share-icon icon-ps-twitter"></span> <span class="share-text">Twitter</span> </span> </a> <a href="https://api.whatsapp.com/send?text=https%3a%2f%2fportswigger.net%2fdaily-swig%2fmfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" target="_blank"> <span class="share-whatsapp "> <span class="share-icon icon-ps-whatsapp"></span> <span class="share-text">WhatsApp</span> </span> </a> <a href="https://www.facebook.com/sharer.php?u=https%3a%2f%2fportswigger.net%2fdaily-swig%2fmfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" target="_blank"> <span class="share-facebook "> <span class="share-icon icon-ps-facebook"></span> <span class="share-text">Facebook</span> </span> </a> <a href="https://reddit.com/submit?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fmfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" target="_blank"> <span class="share-reddit "> <span class="share-icon icon-ps-reddit"></span> <span class="share-text">Reddit</span> </span> </a> <a href="https://www.linkedin.com/sharing/share-offsite?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fmfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" target="_blank"> <span class="share-linkedin "> <span class="share-icon icon-ps-linkedin"></span> <span class="share-text">LinkedIn</span> </span> </a> <a href="mailto:?subject=MFA+fatigue+attacks%3a+Users+tricked+into+allowing+device+access+due+to+overload+of+push+notifications+%7c+The+Daily+Swig&body=MFA+fatigue+attacks%3a+Users+tricked+into+allowing+device+access+due+to+overload+of+push+notifications+%7c+The+Daily+Swig%0A%0ASocial+engineering+technique+confuses+victims+to+gain+entry+to+their+accounts%0A%0Ahttps://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications"> <span class="share-email "> <span class="share-icon icon-ps-email"></span> <span class="share-text">Email</span> </span> </a> </div> <div class="post-content"> <!-- Article Start --> <p class="standfirst">Social engineering technique confuses victims to gain entry to their accounts</p><p><img src="/cms/images/52/49/5466-article-220216-authenticator-body-text.jpg" alt="Malicious hackers are targeting Office 365 users with a spare of MFA fatigue attacks" title="Image: BigTunaOnline / Shutterstock"><br></p><p>Malicious hackers are targeting Office 365 users with a spare of ‘MFA fatigue attacks’, bombarding victims with 2FA push notifications to trick them into authenticating their login attempts.</p><p>This is according to researchers from GoSecure, who have warned that there is an increase in attacks that are exploiting human behavior to gain access to devices.</p><p>Multi-factor <a href="https://portswigger.net/daily-swig/authentication" target="_blank">authentication</a> (MFA) fatigue is the name given to a technique used by adversaries to flood a user’s authentication app with push notifications in the hope they will accept and therefore enable an attacker to gain entry to an account or device.</p><br><p class="text-center"><a href="https://portswigger.net/daily-swig/hacking-techniques" target="_blank" class="bold">Read more of the latest news about hacking techniques</a></p><br><p>In <a href="https://www.gosecure.net/blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/" target="_blank">a blog posted earlier this week</a>, GoSecure described the attack as “simple”, given that “it only requires the attacker to manually, or even automatically, send repeated push notifications while trying to log into the victim’s account”.</p><p>It does require the attacker to have the victim’s credentials, which “could be obtained via brute forcing, <a href="https://portswigger.net/daily-swig/password" target="_blank">password</a> reuse, or spraying”.</p><p>“Once the attacker obtains valid credentials, they will perform the push notification spamming repeatedly until the user approves the login attempt and lets the attacker gain access to the account.</p><p>“This usually happens because the user is distracted or overwhelmed by the notifications and, in some cases, it can be misinterpreted as a bug or confused with other legitimate authentication requests.”</p><h3>‘Make it disappear’</h3><p>GoSecure noted that the attack is particularly effective – not because of the technology involved, but because it targets the human factor via <a href="https://portswigger.net/daily-swig/social-engineering" target="_blank">social engineering</a>.</p><p>“Many MFA users are not familiar with this type of attack and would not understand they are approving a fraudulent notification,” researchers wrote.</p><p>“Others just want to make it disappear and are simply not aware of what they are doing since they approve similar notifications all the time. They can’t see through the ‘notification overload’ to spot the threat.”</p><br><p class="text-center"><span class="bold">DON’T MISS</span> <a href="https://portswigger.net/daily-swig/dependency-confusion-tops-the-portswigger-annual-web-hacking-list-for-2021" target="_blank">Dependency confusion tops the PortSwigger annual web hacking list for 2021</a></p><br><p>The technique has been spotted in recent years in the wild, including during a 2021 campaign when Russian operatives were seen targeting Office 365 users via push notifications.</p><p>Research from Mandiant detailed how threat actors were observed executing multiple authentication attempts in short succession against accounts secured with MFA.</p><p>“In these cases, the threat actor had a valid username and password combination,” <a href="https://www.mandiant.com/resources/russian-targeting-gov-business" target="_blank">a blog post reads</a>.</p><p>“Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor.</p><p>“The threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”</p><h3>MFA PoC</h3><p>GoSecure has published a proof of concept that demonstrates how the attack works in real time:</p><br><p class="youtube-wrapper"><iframe src="https://www.youtube.com/embed/81zbtlOMTzU?origin=https://portswigger.net&amp;rel=0"></iframe></p><br><p>The researchers also detailed how an <a href="https://portswigger.net/daily-swig/microsoft" target="_blank">Office 365</a> user can detect multiple push notification attempts and advised on how to mitigate against attacks of this nature.</p><p>For example, a user could configure the default limits of the MFA service to allow a maximum number of push notification attempts in a certain time frame.</p><p>They could also help prevent inadvertent access to their account by using the phone sign-in verification method.</p><p>GoSecure explains: “In this scenario, a unique two-digit number is generated and must be confirmed on both sides.</p><p>“This is very hard for an attacker to compromise since the attacker is shown a number that must be guessed in the phone (which the attacker doesn’t have access to).”</p><p>Finally, a “radical move, but a quick solution” could be to disable the push notifications entirely.</p><p>GoSecure warned: “As app-based authentication mechanisms are being adopted increasingly as a safer way to authenticate a user (versus SMS or phone call) it is expected that this tendency will grow in the future, even be encouraged by Microsoft itself.”</p><p><br></p><p><span class="bold">YOU MAY LIKE</span> <a href="https://portswigger.net/daily-swig/google-project-zero-hails-dramatic-acceleration-in-security-bug-remediation" target="_blank">Google Project Zero hails dramatic acceleration in security bug remediation</a></p> <!-- Article End --> </div> <div class="post-labels"> <a href="/daily-swig/2fa"> <span>2FA</span></a> <a href="/daily-swig/research"> <span>Research</span></a> <a href="/daily-swig/social-engineering"> <span>Social Engineering</span></a> <a href="/daily-swig/authentication"> <span>Authentication</span></a> <a href="/daily-swig/email-security"> <span>Email Security</span></a> <a href="/daily-swig/hacking-techniques"> <span>Hacking Techniques</span></a> <a href="/daily-swig/microsoft"> <span>Microsoft</span></a> <a href="/daily-swig/cyber-attacks"> <span>Cyber-attacks</span></a> <a href="/daily-swig/vulnerabilities"> <span>Vulnerabilities</span></a> <a href="/daily-swig/mobile"> <span>Mobile</span></a> <a href="/daily-swig/russia"> <span>Russia</span></a> <a href="/daily-swig/europe"> <span>Europe</span></a> <a href="/daily-swig/asia"> <span>Asia</span></a> <a href="/daily-swig/hacking-news"> <span>Hacking News</span></a> <a href="/daily-swig/privacy"> <span>Privacy</span></a> <a href="/daily-swig/network-security"> <span>Network Security</span></a> <a href="/daily-swig/database-security"> <span>Database Security</span></a> <a href="/daily-swig/cloud-security"> <span>Cloud Security</span></a> </div> <div class="post-authorinfo"> <img src="/cms/profiles/jessica-haworth-elsayed.png" alt="Jessica Haworth-Elsayed"/> <div class="post-authorinfo-text"> <p class="post-authorinfo-name"> <!-- Author Start --> <a href="/daily-swig/by/jessica-haworth-elsayed">Jessica Haworth-Elsayed</a> <!-- Author} End --> </p> <p> <a href="https://twitter.com/JesscaHaworth">@JesscaHaworth <span class="icon cmsicon-twitter"></span></a> </p> </div> </div> <div class="sharebuttoncontainer is-aftercontent"> <a href="https://twitter.com/share?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fmfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications&text=MFA+fatigue+attacks%3a+Users+tricked+into+allowing+device+access+due+to+overload+of+push+notifications+%7c+The+Daily+Swig%0A" target="_blank"> <span class="share-twitter is-wide"> <span class="share-icon icon-ps-twitter"></span> <span class="share-text">Twitter</span> </span> </a> <a href="https://api.whatsapp.com/send?text=https%3a%2f%2fportswigger.net%2fdaily-swig%2fmfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" target="_blank"> <span class="share-whatsapp is-wide"> <span class="share-icon icon-ps-whatsapp"></span> <span class="share-text">WhatsApp</span> </span> </a> <a href="https://www.facebook.com/sharer.php?u=https%3a%2f%2fportswigger.net%2fdaily-swig%2fmfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" target="_blank"> <span class="share-facebook is-wide"> <span class="share-icon icon-ps-facebook"></span> <span class="share-text">Facebook</span> </span> </a> <a href="https://reddit.com/submit?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fmfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" target="_blank"> <span class="share-reddit is-wide"> <span class="share-icon icon-ps-reddit"></span> <span class="share-text">Reddit</span> </span> </a> <a href="https://www.linkedin.com/sharing/share-offsite?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fmfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" target="_blank"> <span class="share-linkedin is-wide"> <span class="share-icon icon-ps-linkedin"></span> <span class="share-text">LinkedIn</span> </span> </a> <a href="mailto:?subject=MFA+fatigue+attacks%3a+Users+tricked+into+allowing+device+access+due+to+overload+of+push+notifications+%7c+The+Daily+Swig&body=MFA+fatigue+attacks%3a+Users+tricked+into+allowing+device+access+due+to+overload+of+push+notifications+%7c+The+Daily+Swig%0A%0ASocial+engineering+technique+confuses+victims+to+gain+entry+to+their+accounts%0A%0Ahttps://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications"> <span class="share-email is-wide"> <span class="share-icon icon-ps-email"></span> <span class="share-text">Email</span> </span> </a> </div> </div> </div> <div id="widgetcolumn" class="post-widgetcolumn rightcol"> <noscript> <div class="noscript-warning">This page requires JavaScript for an enhanced user experience.</div> </noscript> <div class="widget-tile-container"> <div class="widget-title">Latest Posts</div> <div class="widget-content"> <a href="/daily-swig/were-going-teetotal-its-goodbye-to-the-daily-swig" class="tile-container dailyswig onecolumn widget-tile size0 style1 textstyle4 is-whitebackground" data-backgroundimageurl=/cms/images/21/e7/3c38-tile-945d0fb3-78b5-446d-813f-8716ed41dc38.png data-backgroundcolorid="0"> <h3 class="tile-text1 notext2"> <span class="tile-text-container">We’re going teetotal – It’s goodbye to The Daily Swig</span> </h3> <span class="tile-date">02 March 2023</span> <span class="tile-text1-alt">We’re going teetotal – It’s goodbye to The Daily Swig</span> <span class="tile-text2-alt">PortSwigger today announces that The Daily Swig is closing down</span> </a> <a href="/daily-swig/bug-bounty-radar-the-latest-bug-bounty-programs-for-march-2023" class="tile-container dailyswig onecolumn widget-tile size0 style1 textstyle2 is-whitebackground" data-backgroundimageurl=/cms/images/58/c9/3d89-tile-bug-bounty-radar-2021-1x1-orange.jpg data-backgroundcolorid="0"> <h3 class="tile-text1 "> Bug Bounty Radar</h3> <span class="tile-text2"> The latest bug bounty programs for March 2023 </span> <span class="tile-date">28 February 2023</span> <span class="tile-text1-alt">Bug Bounty Radar</span> <span class="tile-text2-alt">The latest bug bounty programs for March 2023</span> </a> <a href="/daily-swig/indian-transport-ministry-flaws-potentially-allowed-creation-of-counterfeit-driving-licenses" class="tile-container dailyswig onecolumn widget-tile size0 style0 textstyle4 is-whitebackground" data-backgroundimageurl=/cms/images/65/d7/7a29-tile-india_roads_1x1.jpg data-backgroundoverlay data-backgroundcolorid="0"> <h3 class="tile-text1 notext2"> <span class="tile-text-container">Indian gov flaws allowed creation of counterfeit driving licenses</span> </h3> <span class="tile-date">28 February 2023</span> <span class="tile-text1-alt">Indian gov flaws allowed creation of counterfeit driving licenses</span> <span class="tile-text2-alt">Armed with personal data fragments, a researcher could also access 185 million citizens&#x2019; PII</span> </a> </div> </div> </div> </div> </section> <script type="application/ld+json"> { "@context": "http://schema.org", "@type": "NewsArticle", "author": { "@type": "Person", "email": "dailyswig@portswigger.net", "name": "Jessica Haworth-Elsayed" }, "dateModified": "2022-02-18", "datePublished": "2022-02-16", "headline": "MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications", "mainEntityOfPage": { "@type": "WebPage", "@id": "https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" }, "image":{ "@type": "ImageObject", "url": "https://portswigger.net/cms/images/52/49/5466-twittercard-220216-authenticator-body-text.jpg" }, "publisher": { "@type": "Organization", "logo": { "@type": "ImageObject", "url": "https://portswigger.net/content/images/logos/dailyswig-logo.jpg" }, "name": "The Daily Swig", "url": "https://portswigger.net/daily-swig", "sameAs": [ "https://twitter.com/dailyswig" ] }, "url": "https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications" } </script> <script src="/bundles/cms/dailyswig/details.js?v=xHLfO4mITXAzyWtqSr_E32nHfmw" nonce="xE&#x2B;Rfx6OXvvWLJXrvlUflSsfR/qq2hdm"></script> <section class="prefootercontainer dailyswig"></section> <footer class="wrapper"> <div class="container"> <div> <p>Burp Suite</p> <a href="/burp/vulnerability-scanner">Web vulnerability scanner</a> <a href="/burp">Burp Suite Editions</a> <a href="/burp/releases">Release Notes</a> </div> <div> <p>Vulnerabilities</p> <a href="/web-security/cross-site-scripting">Cross-site scripting (XSS)</a> <a href="/web-security/sql-injection">SQL injection</a> <a href="/web-security/csrf">Cross-site request forgery</a> <a href="/web-security/xxe">XML external entity injection</a> <a href="/web-security/file-path-traversal">Directory traversal</a> <a href="/web-security/ssrf">Server-side request forgery</a> </div> <div> <p>Customers</p> <a href="/organizations">Organizations</a> <a href="/testers">Testers</a> <a href="/developers">Developers</a> </div> <div> <p>Company</p> <a href="/about">About</a> <a href="/careers">Careers</a> <a href="/about/contact">Contact</a> <a href="/legal">Legal</a> <a href="/privacy">Privacy Notice</a> </div> <div> <p>Insights</p> <a href="/web-security">Web Security Academy</a> <a href="/blog">Blog</a> <a href="/research">Research</a> </div> <div> <a href="/"><img src="/content/images/logos/portswigger-logo.svg" alt="PortSwigger Logo" class="footer-logo"></a> <a class="button-outline-blue-small camelcase" href="https://twitter.com/Burp_Suite" rel="noreferrer"><span class="icon-twitter"></span> Follow us</a> <p class="grey">&copy; 2024 PortSwigger Ltd.</p> </div> </div> </footer> <a href="#top" class="back-to-top"><svg xmlns="http://www.w3.org/2000/svg" width="26" height="26" viewBox="0 0 26 26"><polygon points="4.07 14.7 5.03 15.78 12.48 9.13 19.94 15.78 20.9 14.7 12.48 7.2 4.07 14.7" fill="#f63" /><path d="M13,0A13,13,0,1,0,26,13,13,13,0,0,0,13,0Zm0,24.56A11.56,11.56,0,1,1,24.56,13,11.58,11.58,0,0,1,13,24.56Z" fill="#f63" /></svg></a> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10