A social engineering technique called ‘MFA Fatigue’, aka ‘MFA push spam’ or ‘MFA Exhaustion’, is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Risk
- Last Updated: 2022-09-27
- Author: Michael Haag, Splunk
- ID: 7c6e508d-4b4d-42c8-82de-5ff4ea3b0cb3
An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account’s owner’s mobile device. The goal is to keep this up, day and night, to break down the target’s cybersecurity posture and inflict a sense of “fatigue” regarding these MFA prompts.
|Okta Account Locked Out||Brute Force||Anomaly|
|Okta MFA Exhaustion Hunt||Brute Force||Hunting|
|Okta Risk Threshold Exceeded||Valid Accounts, Brute Force||Correlation|
|Okta Two or More Rejected Okta Pushes||Brute Force||TTP|
source | version: 1