Earlier this week, Microsoft announced the general availability of several new security features for Azure AD tenants, including “number matching,” a feature to protect against an increasingly popular attack known as MFA push notification spam.
Also known as MFA fatigue or MFA prompt-bombing, this MFA bypass technique has been a little-known secret of infosec red teams for years, but it has also become extremely popular with several threat actors over the past 12 months.
The technique is typically used when a threat actor has managed to obtain a victim’s valid user credentials. If the account is protected by a multi-factor authentication (MFA) solution, the attacker uses the credentials and then intentionally triggers a smartphone push notification on the account owner’s phone to grant them access to the account.
The idea behind an MFA fatigue attack is to trigger repeated push notifications in the hopes that the account owner gets tired of the “spam” and approves the attacker’s access to the account, or they accidentally click “yes/approve” and allow the attacker access.
Cyber-espionage groups like APT29 were among the first major threat actors seen using this technique, which has also since been adopted by the APT (advanced persistent teen) group Lapsus$ in their recent intrusions at Cisco, Microsoft, Okta, Nvidia, and Uber.
The new “number matching” feature works to protect accounts by showing a number inside the push notification message received by account owners. Even if the user clicks “yes/approve” by accident, the attacker won’t be able to log in without entering this number as well, which most attackers would not be able to do.
Microsoft announced this feature earlier this year—after Lapsus$ compromised its network—but a similar number matching feature has also been available in other secure authentication providers like Cisco Duo, Okta, and others.
However, it must be mentioned that this technique is not foolproof, and attackers who contact employees posing as IT staff have been known to extract these numbers from employees in some attacks. But if you’re forcing employees into MFA that rely on push notifications, it’s better to have numbers matching enabled than not. Either way, if FIDO-based MFA is an option, better use that, as that form of cryptographic device-based authentication is not vulnerable to MFA fatigue attacks.
Alex Lim
Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook
