Earlier this week, Microsoft announced the general availability of several new security features for Azure AD tenants, including “number matching,” a feature to protect against an increasingly popular attack known as MFA push notification spam.
Also known as MFA fatigue or MFA prompt-bombing, this MFA bypass technique has been a little-known secret of infosec red teams for years, but it has also become extremely popular with several threat actors over the past 12 months.
The technique is typically used when a threat actor has managed to obtain a victim’s valid user credentials. If the account is protected by a multi-factor authentication (MFA) solution, the attacker uses the credentials and then intentionally triggers a smartphone push notification on the account owner’s phone to grant them access to the account.
The idea behind an MFA fatigue attack is to trigger repeated push notifications in the hopes that the account owner gets tired of the “spam” and approves the attacker’s access to the account, or they accidentally click “yes/approve” and allow the attacker access.
Cyber-espionage groups like APT29 were among the first major threat actors seen using this technique, which has also since been adopted by the APT (advanced persistent teen) group Lapsus$ in their recent intrusions at Cisco, Microsoft, Okta, Nvidia, and Uber.
Lapsus$ did not invent 'MFA prompt bombing' please stop crediting them with them as creating it.
This attack vector has been a thing used in real world attacks 2 years before lapsus was a thing
— Greg Linares (@Laughing_Mantis) March 25, 2022
The new “number matching” feature works to protect accounts by showing a number inside the push notification message received by account owners. Even if the user clicks “yes/approve” by accident, the attacker won’t be able to log in without entering this number as well, which most attackers would not be able to do.
Microsoft announced this feature earlier this year—after Lapsus$ compromised its network—but a similar number matching feature has also been available in other secure authentication providers like Cisco Duo, Okta, and others.
However, it must be mentioned that this technique is not foolproof, and attackers who contact employees posing as IT staff have been known to extract these numbers from employees in some attacks. But if you’re forcing employees into MFA that rely on push notifications, it’s better to have numbers matching enabled than not. Either way, if FIDO-based MFA is an option, better use that, as that form of cryptographic device-based authentication is not vulnerable to MFA fatigue attacks.