Recently attackers have been gaining access to organizations with “push-based” multifactor authentication (MFA) through an old-fashioned idea, persistence. Push-based MFA is a method of authentication where your provider sends the user a notification on their device and the user acknowledges it to access the service. For example, Apple uses this method to grant access to iCloud accounts.
Attackers use persistence after compromising a user’s account credentials by repeatedly trying to log in to their account. Each time the attacker tries to log in, the user receives an MFA login approval request. If the user approves the MFA request, the attacker is granted access. This type of attack is called an MFA fatigue or a prompt bombing attack.
If your organization uses push-based MFA, ensure your users are trained in how to recognize these attacks, know to resist approving the request, and they know how to report suspicious attacks like this within your organization. If updating your MFA technology feasible, your organization should move to more secure versions of MFA such as number matching to minimize the risk of a user blindly approving MFA requests.