Would your Global Administrator account security up to our standard?
Protecting credentials is an important step in any cyber security plan. One of the first things we always do when taking on a cyber security client, before we even embark on the fact finding and documentation, is make sure everyone is using MFA for their Microsoft 365 accounts and that their Global Administrator account security is up to our strict standard. The next thing we do is make sure that the passwords are not set to expire after so many days – as it has been shown that users will use as simple a password as possible or write it down in plain sight if they have to change passwords too often. (Al-Slais and El-Medany. 2022)
Now this fatigue habit of users is being exploited by threat actors to defeat MFA.
MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches (bleepingcomputer.com)
‘MFA Fatigue’ or ‘MFA push spam’ is a social engineering technique where sending spurious MFA requests, generated by the threat actors attempting to login with stolen credentials – continuously night and day. Having inflicted this on the user, the threat actor then contacts the victim, by email or text, pretending to be IT Support who can fix the problem, all they need them to do is approve the MFA request.
Maybe they will, maybe they won’t, maybe they will hit approve by accident. If they do not approve it then, there is no reason the threat actor cannot continue with this annoyance, trying to wear down the user’s security stance. Whatever happens this is a far simpler way of defeating MFA than stealing cookies or creating a man-in-the-middle attack.
Your takeaway from this?
Have you trained your people about this type of annoyance attack? If not feel free to send this blog post around to them, with your instructions on what they should do if this type of attack is aimed at them.
Online cyber security training for your team
We have an online cyber security training site – CyberAwake – where people can work their way through a series of videos and online tests to improve their cyber security awareness. We are always updating the content as the threat landscape changes and in November, because of the rise of attacks to defeat MFA, we are releasing a new module looking at ways threat actors try to defeat MFA, which we will make available to all current subscribers.
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
Cyber Security Experts | Awareness | Consultancy | Investigations (cyberawake.co.uk)
References
Al-Slais, Y., & El-Medany, W. M. (2022). User-centric adaptive password policies to combat password fatigue. Int. Arab J. Inf. Technol., 19(1), 55-62.