New Threat Report Shows Attackers Increasingly Exploiting MFA Fatigue

By Ben Brigida, Director, Security Operations, Expel

If you want to know what’s happening in the cybersecurity world, it helps to have up-to-date information. That means staying on top of annual reports discussing the broader trends in security, but it also means diving into more timely reporting. Expel’s new Quarterly Threat Report provides the opportunity to do just that, examining incidents identified by the Expel security operations center (SOC) during the third quarter (Q3) of 2022. Those incidents span a broad range of industries and an even broader range of individual businesses, and they include alerts, email submissions, and other threat hunting leads.

The report helps to highlight some of the emerging—and continuing—trends from across the cybersecurity landscape, including the ongoing rise in identity-based incidents and attackers’ increasing focus on finding new ways to defeat multi-factor authentication (MFA). The full report is available here, but below is a selection of highlights that lay bare some of the most pressing threats companies faced in the third quarter of this year.

Attackers Are Exploiting Users’ MFA Fatigue

To be clear, MFA is important—roughly half of the business application compromise (BAC) incidents included in the report were stopped by MFA or conditional access policies, making its value clear. Unfortunately, that means the other half slipped through the cracks.  While MFA is an essential tool in organizations’ security strategies, it isn’t enough on its own. Attackers are continuing to identify ways to exploit some of its weaknesses. Chief among them is the fact that, eventually, many users get tired of pulling out their phones and engaging with MFA notifications—which leads to poor judgment. The research shows that in over 80% of successful compromises, MFA and conditional access policies were properly installed and configured—the attacker was simply able to trick the legitimate user into satisfying the MFA request.

Attackers have found considerable success overwhelming their targets with repeated MFA requests. The data shows that a significant percentage of users eventually accept the request—even if just to make the notifications stop. Many rationalize that it’s probably a member of the IT team making an update or change, and don’t think twice about it. But the unfortunate truth is that attackers are simply annoying users into causing a potentially serious breach. It’s a cunning tactic—one that preys on human nature.

Stopping this requires MFA users to adapt alongside the bad actors. How? Organizations can disable push notifications in favor of a Fast Identity Online (FIDO) compliant solution, which helps alleviate the risk of an overwhelmed employee simply granting access without thinking. Other options include number matching, which requires the user to enter numbers from the identity platform into the MFA app to approve the authentication request. While less seamless, this option requires active engagement from the user, greatly reducing the risk.

Identity Attacks Are Not Slowing Down

It’s become almost a mantra in the cybersecurity industry, but—as has been the case for some time—identity-based attacks continue to rise. In Q3, they accounted for 59% of all incidents detected by the Expel SOC, up from 56% in Q2—already a concerningly high number. Business email compromise (BEC) and BAC attacks were among the most common tactics, and accounted for 55% of all incidents identified, underscoring the fact that attackers continue to find success with social engineering tactics.

There is hope on the BEC front, though. All of the BEC attacks our SOC detected targeted Microsoft 365, and many experts believe that Microsoft’s decision to disable Basic Authentication by default in Q4 may help address the problem. Attackers have become extremely adept at exploiting the weaknesses inherent to Basic Auth, and Microsoft’s decision will likely force them to shift to new techniques. It may not be a long-term solution, anything that impedes attackers is a step in the right direction.

Attackers Put a New Spin on Old Tactics

There are a few additional findings worth noting—particularly in areas where attackers are evolving their tactics. Ransomware continues to be a significant problem, but attackers are increasingly turning to zipped JavaScript or ISO files, abandoning the use of visual basic for application (VBA) macros and Excel 4.0 macros, which were previously the most popular ways to gain entry to Windows-based environments. In fact, zipped JavaScript files accounted for 46% of all pre-ransomware incidents, underscoring the need to keep a watchful eye out for suspicious files. (By the way, this shift is likely thanks to Microsoft’s decision to block macros by default in Microsoft 365 applications.)

Attackers have also refined their social engineering tactics, and themes having to do with “invoices,” “order confirmations,” “payment,” and “requests” are now among the most commonly used in email subject lines in phishing attempts. The most common, though? Blank subject lines. These terms create a sense of urgency or fear in recipients, clouding their judgment and making them more likely to make a mistake. Where email attacks are concerned, attackers are also increasingly using IPs geolocated within the U.S. when targeting U.S.-based organizations. This helps them bypass conditional access mitigation efforts and is something security teams should keep an eye on moving forward. Simply blocking or adding additional scrutiny to overseas IPs is no longer enough.

Recognize Attackers’ Shifting Strategies

These Quarterly Threat Report findings highlight the ways attackers are  shifting their tactics in response to new security measures. As more organizations implement MFA, they are finding methods to circumvent it. As users grow more aware of social engineering tactics, they are finding new ways to disrupt their thinking. Until organizations demonstrate the ability to consistently stop identity-based attacks, they aren’t going anywhere. The battle between security teams and attackers is a constant cat-and-mouse game, with each adapting to the other’s tactics as they evolve. There is no silver bullet that will solve every security challenge—but understanding these threats is the first step toward stopping them.

About the Author

Ben Brigida is the Director of SOC Operations at Expel. In this role, he’s responsible for making sure Expel maintains the quality of delivery customers have come to expect. Ben has been with Expel since the company’s inception in 2016. Prior to Expel, Ben worked in the security operations center (SOC) at FireEye.

Ben can be reached online via LinkedIn and at our company website https://expel.com/