MFA Prompt Bombing and How to Stay Protected

Posted April 12, 2022

We’ve written previously on one-time password intercept bots and the threat they pose to multi-factor authentication (MFA) implementations utilizing one-time passwords (OTP) sent through SMS. Now there is a new threat to some less secure MFA implementations known as prompt bombing. This technique was used in the recent Microsoft and Okta breaches. In their forensic report on the breaches, Mandiant explains the MFA prompt bombing process used.

Mandiant has also observed the threat actor executing multiple authentication attempts in short succession against accounts secured with multi-factor authentication (MFA). In these cases, the threat actor had a valid username and password combination. Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.

MFA prompt bombing essentially is an attempt to trick a user into completing an MFA security request on their devices. Methods utilized in the attacks include.

Sending a series of MFA requests and hoping the target finally accepts one to make the noise stop.
Sending one or two prompts per day. This method often attracts less attention, but “there is still a good chance the target will accept the MFA request.”
Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process.

The MFA prompt bombing attack vector takes advantage of a design or configuration flaw in some MFA implementations. These implementations utilize a combination of device id and/or biometrics as an authentication factor which is good. The problem is that these factors are being completed on a different device than the device attempting the login. Think of logging in on your laptop but completing a Google Authenticator MFA request on your phone. If your MFA is configured to allow a separate device to authenticate, your risk-based authentication policy should require that both devices be in the same location. This would virtually eliminate the attack vector. Another solution is to require biometric data to be confirmed from the same device that is attempting the login — think of using the fingerprint reader on your laptop instead of your phone in the example above.

Many attacks today are leveraging relatively new techniques such prompt bombing or other forms of social engineering. These attacks take advantage of our flaws as humans and can be avoided through awareness and education campaigns with your employees. Share this information with your team so that when they receive strange authentication requests, they know what is happening and are aware of how to respond. The cyber threats we face today are real and determined but sometimes raising awareness of the latest techniques can give us all the advantage we need.

Even though some MFA solutions aren’t perfect, any MFA implementation is still significantly more secure than password authentication alone. Password-only authentications have their own significant flaws and those unavoidable flaws have begun a needed shift towards passwordless authentication. MFA remains a top implementation on our 2022 cybersecurity checklist and a top Cybersecurity and Infrastructure Security Agency (CISA) defense against ransomware.

Kevin Willette

Kevin Willette is Partner / CEO of Verus Corp. His focus is ensuring complete customer satisfaction and providing as much or as little support as is needed for the individual client. Kevin knows that plenty of places do IT services, but what sets Verus Corp apart is the local feeling and the commitment to doing things right the first time. He has always wanted to be a business owner because it affords him the opportunity to offer a service that was better than anything clients had seen before. His true goal is to help customers make their businesses better by removing potential IT barriers. Kevin served as chair for Habitat for Humanity during his time at Minnesota State University, Mankato. He has also served on the WatchGuard Advisory Council since 2016. Kevin’s work with Verus Corp has helped them achieve awards as the WatchGuard Partner of the Year and Cisco Select Partner. Kevin graduated from Minnesota State in 2000 with a major in Business Marketing and minors in Business Administration and Music.