Multi-factor authentication (MFA) was designed to enhance security by requiring a second factor, even if account credentials were compromised. However, attackers are now circumventing this protection by manipulating users into approving malicious login requests through a technique known as MFA prompt bombing. Organizations using push-based MFA are particularly vulnerable. Tools like **Specops Secure Access** are designed to mitigate this threat. Let's examine how this technique works. ## How MFA Prompt Bombing Works This attack relies on three key elements: * Valid account credentials, often obtained from breached password databases. * A login portal utilizing push-based MFA, such as a VPN, **Microsoft 365**, **Okta**, or **Duo**. * A target who receives alerts for each login attempt. Attackers flood the target with MFA prompts, hoping they will eventually approve one either by mistake or out of frustration. This tactic is often combined with vishing (voice phishing) calls, where attackers impersonate IT support to socially engineer the target into approving the request. The danger lies in the fact that the attacker only needs to succeed once. Once a prompt is approved, the attacker gains access as the legitimate user. Because the login appears legitimate, security systems are unlikely to raise an alert. ## The **Cisco** Breach The **Cisco** breach in 2022 demonstrates the effectiveness of this technique. An attacker, linked to the **Yanluowang** ransomware group, compromised a **Cisco** employee's personal **Google** account, gaining access to browser-stored credentials, including their **Cisco** VPN password. The attacker then initiated MFA prompts to the employee's phone. Initially unsuccessful, they resorted to vishing calls, impersonating trusted support personnel with various accents, ultimately persuading the employee to approve a push notification. This granted the attacker VPN access as the employee. They then enrolled their own devices for MFA persistence, escalated privileges, accessed **Citrix** servers and domain controllers, and exfiltrated approximately 2.8GB of data before being detected. The success of prompt bombing against **Cisco**, a company with a robust security posture, underscores its potential danger. ## Why Push MFA Doesn't Eliminate Risk Push-based MFA presents a challenge because users have limited information when approving or denying a login. They lack clear details about the request's origin, the device being used, or whether they initiated the login attempt. While manageable in isolation, repeated prompts can lead users to assume a system malfunction rather than recognizing a potential attack. Coupled with a well-timed phone call from a fake IT support representative, the situation becomes even more complex. The user, believing they are responding to a legitimate request, inadvertently grants access to an attacker who already possesses their credentials. ## 3 Ways to Prevent Prompt Bombing ### 1. Use Fatigue and Phishing-Resistant MFA Factors Push notifications are the weakest form of MFA. Phishing-resistant factors, such as FIDO2 security keys (**YubiKey**), hardware tokens, or number-matching codes from authenticator apps, are more difficult to exploit. **Specops Secure Access** supports over 15 identity providers and offers fatigue-resistant options for Windows logon, RDP, and VPN connections, enabling organizations to replace push-only MFA for high-risk access points.  ### 2. Block Compromised Passwords at the Source Prompt bombing relies on attackers possessing valid passwords. Continuously scanning **Active Directory (AD)** against a live database of breached passwords and forcing resets when matches are found eliminates the foundation for the attack. Default AD password policies are insufficient for detecting reused, incremental, or breached passwords. **Specops Password Auditor** provides a free, read-only scan of your AD, identifying vulnerabilities like compromised passwords or inactive admin accounts.  ### 3. Add Risk Signals to the Login Conditional access policies, considering factors like geography, device posture, and login times, can block or require additional authentication before a prompt is sent to the user. This reduces reliance on user behavior and introduces real-time context to prevent suspicious logins from resulting in account compromise. ## MFA Still Matters MFA prompt bombing doesn't invalidate MFA but highlights the limitations of certain factors. When approval requests can be triggered repeatedly without context, the control becomes vulnerable to manipulation. If push notifications are your default second factor, reconsider this decision. Number matching or phishing-resistant methods enhance MFA, while scanning for compromised passwords reduces the risk of attackers gaining initial access. Explore more robust MFA solutions to strengthen your identity security.