Information Security

Recognizing and Responding to MFA Fatigue Attacks

Last modified 8/21/2022

Multi-factor authentication (MFA) is the most effective way to protect accounts from compromise. However, cyber criminals have found that if they have working credentials, they can abuse MFA in a manner that gets users to approve their fraudulent access.

Read below on how to detect this type of attack and what you can do to protect your account and data.

Recognizing Multi-Factor Authentication (MFA) Fatigue Attacks

Signs of MFA Fatigue Attacks

The following are the primary warning signs that you may be a target of MFA fatigue attacks:

  • You repeatedly receive MFA phone calls to approve sign in when you are not signing in.
  • You repeatedly receive MFA authenticator push notification to approve sign in when you are not signing in.
  • You repeatedly receive MFA approval requests from any method during the late evening or very early morning (e.g. 11pm - 4am).

Note: This type of attack is often referred to as "MFA bombing" or "MFA spam abuse" as well.

Responding to MFA Fatigue Attacks

If you believe that you are a target of MFA fatigue, you should take immediate action.

Report the Fraudulent Sign In Attempts

Whether you are receiving unexpected MFA phone calls or push notifications, you will have the ability to deny and report the fraudulent attempts. Doing this will block the attacker from gaining access to your account as well as directly notify the Information Security Office.

Change your Password

These attacks can only occur when the attacker has a working username and password. They may have it because of a successful phishing attack or a data breach of another service where the same password was used.

Check your Sign In History

You can review recent activity on your account by visiting https://mysignins.microsoft.com/. Once there, you will see a listing of sign ins, when they occurred, the location they originated from, and whether they were successful. If you see several from a location that you are not near or have ever been to, it is possible that you may be targeted for this attack.