Information Security
Recognizing and Responding to MFA Fatigue Attacks
Last modified 8/21/2022
Multi-factor authentication (MFA) is the most effective way to protect accounts from compromise. However, cyber criminals have found that if they have working credentials, they can abuse MFA in a manner that gets users to approve their fraudulent access.
Read below on how to detect this type of attack and what you can do to protect your account and data.
Recognizing Multi-Factor Authentication (MFA) Fatigue Attacks
Signs of MFA Fatigue Attacks
The following are the primary warning signs that you may be a target of MFA fatigue attacks:
- You repeatedly receive MFA phone calls to approve sign in when you are not signing in.
- You repeatedly receive MFA authenticator push notification to approve sign in when you are not signing in.
- You repeatedly receive MFA approval requests from any method during the late evening or very early morning (e.g. 11pm - 4am).
Note: This type of attack is often referred to as "MFA bombing" or "MFA spam abuse" as well.
Responding to MFA Fatigue Attacks
If you believe that you are a target of MFA fatigue, you should take immediate action.
Report the Fraudulent Sign In Attempts
Whether you are receiving unexpected MFA phone calls or push notifications, you will have the ability to deny and report the fraudulent attempts. Doing this will block the attacker from gaining access to your account as well as directly notify the Information Security Office.
Change your Password
These attacks can only occur when the attacker has a working username and password. They may have it because of a successful phishing attack or a data breach of another service where the same password was used.
Check your Sign In History
You can review recent activity on your account by visiting https://mysignins.microsoft.com/. Once there, you will see a listing of sign ins, when they occurred, the location they originated from, and whether they were successful. If you see several from a location that you are not near or have ever been to, it is possible that you may be targeted for this attack.