November 8, 2022

Microsoft Enabling New Security Enhancement to Combat MFA Fatigue Attacks

Microsoft is taking steps to combat a rise in Multifactor Authentication (MFA) Fatigue attacks that have been plaguing Authenticator app users. These attacks are used to overwhelm users into approving unexpected and unauthorized requests for access into critical systems. Microsoft’s latest security feature aims to add an extra layer of security to prevent potential breaches. 

Key Takeaways: 

  • Cybercriminals send Authenticator users repeated, bogus requests for access in what have been called Multifactor Authentication (MFA) Fatigue attacks 
  • Microsoft is combating the rise in MFA Fatigue attacks by introducing an enhanced security feature called number matching 
  • This feature will be fully implemented for all users by February 28, 2023 but it’s recommended that your organization enact it sooner 

Protecting your company’s data against ransomware attacks is difficult enough, but now there’s a new way cybercriminals are taking advantage of security weak points. MFA Fatigue attacks occur when a threat actor runs a script that repeatedly attempts to log into an account with stolen credentials, causing a seemingly endless stream of push notifications to be sent to the account owner’s mobile device. These repeated notifications can cause either an accidental approval of the bogus request or the user approves the request to finally end the stream of notifications.  

Crafty Cybercriminals Target MFA Users with Increasing Sophistication  

In some cases, criminals will attempt to contact the target by impersonating IT support either through email, over the phone, or through messaging platforms to convince the user to accept the prompt. Once approved, cybercriminals can give themselves access to other areas and potentially lock users out of critical areas.  

Cisco recently underwent a security breach after a hacker gained access to their VPN via this attack method. According to an analysis of the attack, even after being removed from the system, the hacker continued to attempt to regain access in the following weeks.  

New Number Matching System to Prevent MFA Fatigue Attacks 

As these attacks have increased in numbers, Microsoft Security has implemented number matching as a method to verify the true account owner. Number matching will be automatically enabled for all users by February 28, 2023. Once the number matching feature is enabled, it can’t be disabled or turned off.  

To increase security and reduce accidental approvals, your authentication process will now require employees to enter a two-digit number displayed on the sign-in screen to the Authenticator app on their phone when approving an MFA request. 

Why This Matters Now 

While number matching will be made a permanent feature in February 2023, it’s recommended that businesses implement the enhancement sooner rather than later. Preventing MFA Fatigue attacks is of course a priority, but so is acclimating your employees to the new system. Implementing the feature as soon as possible will also allow you ample time to address or fix any issues that arise with this security update. 

Anders Technology advisors are taking immediate steps to mitigate the risk for our clients. To learn more about this update and the impact it may have on your business, contact an Anders advisor below.  

All Insights

Keep up with Anders

Want to keep up with all the latest insights from Anders? Subscribe and receive the information that matters to you.