MFA FATIGUE ATTACKS
Your organization probably uses multi-factor authentication (MFA) to protect against cybercriminals accessing your organization’s data. MFA has proven to be an effective way to stop attackers that have somehow gained log in credentials but like any good thing, criminals have found an attack to go around it and still access your account.
This attack method is known as MFA fatigue attacks, push-bombing, or MFA spamming. Attackers exploit the normal MFA process to overwhelm a user into granting them access.
MFA usually works by providing a code or prompt sent via text or through an app which allows you to completely log into your account. Hackers who have previously stolen credentials through a phishing attack or data breach will repeatedly attempt to log in until the legitimate user is overwhelmed and acknowledges an MFA request.
Though you may initially question the receipt of an unexpected MFA code, after being bombarded with requests, it can be easy to mistakenly click “APPROVE” to get the requests to stop. Knowledge about this type of attack is the best defense. If you ever receive unexpected MFA code requests, ignore them, and change the account password as soon as possible.