That’s it! Finally, the attacker gains access to the victim’s Office 365 account.
Eventually, the victim accepts the MFA request due to too many attempts of MFA requests or to get rid of the continuous notifications.But the hacker continues to spam the victim with multiple push notifications and therefore Office 365 keeps asking login for several times until the victim confirms the MFA request.The user will usually deny the request since it was not initiated by them.After gaining access to the credentials, the attacker starts sending continuous push notifications to the user.Initially, the hacker gains access to the user’s account via password spray attacks, phishing or brute-force attacks.It’s way easier to trick humans than machines, so these MFA attacks completely rely on human factors or human errors. MFA bombing attacks are technically simple. Attacker overloads the user with MFA push notifications, and eventually overwhelmed by the volume, the user accepts the MFA requests.Īre you curious about how these attacks are carried out? Now, let’s take a closer look at how this MFA prompt bombing attack works. Thus, they gain access to the victim’s Office 365 account or the organization’s systems.įatigue means exhaustion from something. MFA fatigue is a technique of constantly spamming the user with push notifications for MFA verification in the hope they will accept it thinking it is from a reputable source. MFA spamming is an intrusion technique relying on human factors, started to invade the two-step authentication technique, and proved that not all MFA solutions are secure. Yes, a serious attack has started to arise that bypasses the MFA technique and compromises the security posture of the Office 365 environment. In conclusion, MFA is the sole reason that gives an extra layer of security to Office 365 and should be supposed to limit attacks, right?īut what about if I said that the two-factor authentication could also be bypassed? Doesn’t that seem fishy? Can hackers beat strong two-factor authentication? With MFA, your organization will have enhanced security because the users will have to use more than their username and password to identify themselves. Multi-factor or two-factor authentication is the security gateway to protect our Office 365 accounts.