Microsoft enforces number matching to fight MFA fatigue attacks

Bleeping computer reports* Microsoft has started enforcing number matching in Microsoft Authenticator push notifications to fend off multi-factor authentication (MFA) fatigue attacks.

In such attacks (also known as push bombing or MFA push spam), cybercriminals flood the targets with mobile push notifications asking them to approve attempts to log into their corporate accounts using stolen credentials.

In many cases, the targets will give in to the repeated malicious MFA push requests, either by mistake or to stop the seemingly endless stream of alerts, allowing the attackers to log into their accounts.

This type of social engineering attack has already been proven very successful by the Lapsus$ and Yanluowang threat actors who used this attack method to breach high-profile organizations, including Microsoft, Cisco, and Uber.

“Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023,” Microsoft says.

“Relevant services will begin deploying these changes after May 8, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don’t.”

This is a vital step in overcoming the flaws associated with weak and re-used passwords. Number matching is a very quick and easy validation tool that also includes the much needed security. This method can stop the process of being bombarded with approval clicks in which threat actors are disguised as the wolf in sheep’s clothing. Such extra level of user participation of choosing the correct number remains simple to execute but acts as another triumph for security professionals who are constantly being overwhelmed by clever attackers wanting to manipulate their victims.

Making this a default authentication method within the app means users will be protected without having to think or act, leading to an increase of their protection. For additional layers of protection from MFA fatigue attacks, precautious users can also limit MFA requests which can lock the account or alert admins which can be useful if they are constantly signing into sensitive areas.

*ESET does not bear any responsibility for the accuracy of this information.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s