Multi-factor authentication (MFA) was seen as filling a critical gap in identity security. This means that even if an attacker has the account credentials, they will not be able to log in without the second factor. This logic was good, but the attacker realized that he didn’t need to steal the second element, he just needed to pass it to the user.
If employees are authenticating with push-based MFA, this attack poses a real threat to today’s organizations. Tools like Specops Secure Access are purpose-built to fill that gap, but before diving into fixes, it’s worth understanding how this technique works.
How MFA prompt bombs work
This attack requires three key elements to work:
Valid account credentials (usually obtained from a compromised password dump on the dark web) A login portal that uses push-based MFA (such as a VPN, Microsoft 365, Okta, or Duo) A victim who is alerted each time the attacker attempts to log in
The attacker repeatedly triggers prompts in an attempt to trick or exhaust the target into approving the request. In some cases, attackers attempt to socially engineer their targets using a combination of instant bombings and cold calls impersonating IT departments. The danger is that these methods only need to work once.
If the prompt is approved, the attacker logs in as that user. Security systems are usually not alerted because the login appears to be completely legitimate.
cisco breach
The 2022 Cisco breach is a key example of how effective this technique is even for mature security programs. Attackers associated with the Yanluowang ransomware group were compromising the personal Google accounts of Cisco employees and synchronizing credentials stored in their browsers, including the employees’ Cisco VPN passwords.
From there, the attacker pushed an MFA prompt to the employee’s phone. When that didn’t work at first, they started using harassing phone calls posing as trusted support organizations, speaking in various accents, and eventually convincing employees to accept push notifications.
Once approved, the attacker will have VPN access as an employee. It then enrolled its own device in MFA for persistence and escalated to administrative privileges to reach Citrix servers and domain controllers, exfiltrating approximately 2.8 GB of data before being evicted. The fact that this instant bombing worked against a company like Cisco, whose security posture is far from weak, highlights just how dangerous and effective this attack has become.
Why pushing MFA doesn’t eliminate risk
The problem with push-based MFA is that users are asked to approve or deny the login and are rarely able to proceed. There is no clear information about the origin of the request, the device used, or whether the login attempt was initiated by a user. Alone, it may be manageable. But when the prompts start arriving repeatedly, it’s easy to assume something is misfiring instead of recognizing it as a potential attack.
Add to this a well-timed phone call from someone pretending to be IT support, and the situation becomes even more difficult to assess. At this point, the user is not acting carelessly, but using credentials the attacker already has in response to a scenario designed to appear routine and legitimate.
3 ways organizations can prevent instant bombing
1. Use fatigue- and phishing-resistant MFA factors
Push notifications are the weakest and most common form of MFA. Phishing-resistant elements such as FIDO2 security keys, hardware tokens like YubiKeys, and number verification codes in authenticator apps are more difficult to exploit.
Specops Secure Access supports over 15 identity providers and has these fatigue-resistant options for Windows logon, RDP, and VPN connections, allowing organizations to eliminate push-only MFA for high-risk access points.
Specops Secure Access
2. Block leaked passwords at the source
Instant bombing is only possible if the attacker already has a valid password. It removes attack fuel by continuously scanning Active Directory (AD) for a live database of compromised passwords and forcing a reset if a match is found. Relying on the default AD password policy will not detect reused, incremental, or violated passwords. If you’re unsure of your current situation, Specops Password Auditor provides a free, read-only scan of your AD that flags vulnerabilities such as compromised passwords and inactive administrator accounts.
Specops Password Auditor
3. Add risk signals to logins
Conditional Access policies that consider geography, device state, and login time can block or strengthen authentication before a prompt is sent to the user’s phone. This reduces reliance on user behavior alone, introduces real-time context, and stops suspicious logins before they become compromised accounts.
MFA still matters
MFA instant bombing is not a reason to move away from MFA, but it does highlight where some elements are missing. If authorization requests are triggered repeatedly without meaningful context, the control becomes more sensitive than intended.
If push is still the default second factor, it’s worth reconsidering that decision. Number matching or phishing-resistant methods strengthen the MFA method itself while limiting the risk of an attacker possessing the initial authentication step by scanning for compromised passwords. If you want to evolve your identity security with more robust MFA, talk to Specops.
Source link
