We think of multi-factor authentication (MFA) as a bulletproof solution to ward off unauthorized access, but a recent rise in what’s known as MFA fatigue attacks have demonstrated how savvy hackers are turning the table. In recent years, hacking groups such as Lapsus$ have found success using multi-factor authentication as a gateway to infiltration, successfully rendering social engineering attacks against Microsoft, Cisco and Uber.

In this article, we’ll explore how MFA fatigue attacks work and how businesses can combat such attacks through increased monitoring, cybersecurity awareness and managed security.


What is an MFA fatigue attack?

As businesses continue to adopt digital transformation strategies to combat increasingly sophisticated cyber threats, the exclusive reliance on standard usernames and passwords has waned – and rightfully so. Login practices of 15, 10 or even five years ago no longer suffice when it comes to accessing corporate devices, applications, online accounts or Virtual Private Networks. It’s only a matter of time before someone cracks your passwords using trial-and-error methods or brute force attacks. Hackers can also phish employees for access to credentials, purchase them on underground criminal forums or the dark web, or search public code repositories for leaked credentials.

Multi-factor authentication (MFA) adds a necessary defensive layer, especially when a user’s credentials get stolen, requiring users to enter two or more pieces of information to verify identity and enable access. Typical authentication factors include push notifications for approval, one-time passcodes, biometrics, or verification by GPS or network location. This extra layer of security makes it challenging for hackers to gain access to your data – but not impossible.

Enter MFA fatigue attacks. As more companies have adopted multi-factor authentication protocols, hackers have had to evolve their techniques and look for innovative ways to infiltrate networks. Through “push bombing, push harassment or push spamming,” MFA fatigue attacks attempt to do just that. Fatigue attacks occur when an attacker somehow gets hold of a legitimate user’s login credentials and coerces them to approve an authentication prompt by flooding their device with a deluge of MFA push notifications until they slip up or become “fatigued.” Some users might absent-mindedly approve the prompt, dismissing consecutive push notifications as a system malfunction.

In the aforementioned cases with Lapsus$, a member of the ransomware group stole an employee’s username and password and persuaded them to accept an MFA prompt. The attacker spammed the employee’s device with repeated MFA push notifications coupled with a series of sophisticated phishing attacks impersonating trusted IT support groups – all to convince the user to hit “approve.” After acquiring initial entry, the threat actor was free to conduct malicious activities within the user’s corporate network and manipulate forensic data in the process.

The success rate of this form of cyberattack is increasing. That’s why knowing what to expect and how to arm your organization with the proper tools to combat MFA fatigue attacks is critical.


Educate Your Employees Through Security Awareness Training 

While MFA remains a robust (and absolutely necessary) means of insulating the integrity of your assets against threats, it is not an à la carte solution – nothing is. Threat actors will continue to evolve in their practices and discover new ways to hunt and exploit system vulnerabilities and steal valuable information to use to their advantage.

Educating and training employees remains the best preventive tactic, especially in the case of social engineering schemes like MFA fatigue attacks. All the technical layers of protection you’ve enabled will fail if not fortified by the users who protect your front line. Be sure to keep your information security training current with the latest threat actors so employees know what to keep a lookout for. For training to stick, keep it engaging, break it into digestible, bite-sized chunks when applicable and be persistent. Ask your cybersecurity provider about weaving simulated phishing and/or fatigue attacks into your training program to give users real-time learning opportunities and further reinforce their importance.


Leverage Real-Time Monitoring and Threat Intelligence to Curb Risk 

Prevention by raising awareness is only half the battle. Identity systems must also help in recognizing and resolving attacks underway. That’s where security information and event management (SIEM) and Security Operations Center (SOC) services come in.

SIEM technology uses threat detection software and machine learning to monitor your networks for potential threats, while a SOC acts as your central command post – logging events, responding to alerts and streamlining the incident response and recovery process. When suspicious activity, such as an employee repeatedly denying MFA push requests, is detected in the environment, the SIEM will alert SOC analysts to investigate and respond before it’s too late.


Rely on the Expertise of a Managed Service Provider 

Many small to medium businesses (SMBs) do not have the time, resources or commitment to ensure their employees remain security-conscious and apprised of emerging threats and vulnerabilities like MFA fatigue attacks. Instead of trying to battle these threats on your own, while balancing education and training demands, consider bringing in the help of outsourced cybersecurity professionals.

A trusted managed service provider (MSP) like The TNS Group, an Omega Systems company, offers long-term, cost-efficient security solutions to not only help you combat these growing threats but also adhere to changing compliance requirements (SEC, PCI DSS, HIPAA, FDIC, etc.) and meet growing expectations for investor due diligence and cyber liability insurance.

TNS' customizable security awareness program equips your users with the intelligence needed to act as physical barriers against attacks. We provide hyper-realistic phishing simulations and automated routine reminders, best practices and security tips to keep cyber hygiene high year-round.

Plus, our in-house SOC delivers 24×7 monitoring, detection, investigation and incident response to thwart attacks before they lead to disastrous (and costly) repercussions. Trained and certified in forensic analysis, our intuitive security specialists act rapidly to intercept and respond to suspicious behavior (such as consecutive login failures or excessive MFA pushes) to keep potential security threats at bay.



Multi-factor authentication remains one of the most necessary and cost-effective security methods to prevent unauthorized access to your company’s sensitive data. But regardless of whether you’re a local nonprofit, a regional bank or a global manufacturing firm, your business must evolve its security knowledge and prevention methods to account for new threats such as MFA fatigue attacks.

With a continuous awareness program and a vigilant team of experts keeping an eye on your environment, you can stay on top of the evolving threat landscape, respond to any potentially harmful threats and recover from cyberattacks without the added burden of hiring, training and retaining your own security staff. Contact The TNS Group today to learn more.


EDITOR’S NOTE: This article was originally posted by Omega Systems. The TNS Group joined the Omega Systems family in December 2022.

Categories: Blog