MFA Fatigue

MFA Fatigue, The Latest Hacker Tactic: Cybersecurity Best Practices

October is Cybersecurity Awareness Month and one of the best practices to protect yourself is multi-factor authentication (MFA). But hackers are turning to MFA fatigue attacks to get around MFA.

The way it works is simple. Hackers use various methods – including phishing attacks, malware, leaked credentials from data breaches, or purchasing them on dark web marketplaces – to obtain corporate credentials. That’s not difficult for them.

To counter this, organizations have increasingly adopted MFA to prevent users from logging into a network without first entering an additional form of verification. This additional information can be a one-time passcode, a prompt asking you to verify the login attempt, or the use of hardware security keys. Problem solved, right?


Not so fast. Threat actors use several methods to bypass MFA, most revolve around stealing cookies through malware or man-in-the-middle phishing attack frameworks.

Now, a social engineering technique called ‘MFA Fatigue’, aka ‘MFA push spam’, is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks. An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account’s owner’s mobile device.

The goal is to push out repeated MFA notifications until the targets get so overwhelmed that they accidentally click on the ‘Approve’ button or simply accept the MFA request to stop the deluge of notifications they were receiving on their phone.

MFA Fatigue has been used by the Lapsus$ and Yanluowang threat actors and has been successful in recent breaches, including Cisco and Uber just in the past few weeks.


This article from Bleeping Computer has more on the topic, including best practices for combating MFA Fatigue attacks, such as Microsoft’s MFA number matching and limiting the number of MFA authentication requests per user (then locking the account of the user or raising alerts to the domain admin).

This is why I said on Friday that there is no “Staples-easy button” to full cybersecurity protection – even MFA can be – and has been – bypassed. Don’t get “fatigued”! 😉

So, what do you think? Have you heard of MFA Fatigue attacks? You have now! Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply