Try in Splunk Security Cloud

Description

A social engineering technique called ‘MFA Fatigue’, aka ‘MFA push spam’ or ‘MFA Exhaustion’, is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication, Risk
  • Last Updated: 2022-09-27
  • Author: Michael Haag, Splunk
  • ID: 7c6e508d-4b4d-42c8-82de-5ff4ea3b0cb3

Narrative

An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account’s owner’s mobile device. The goal is to keep this up, day and night, to break down the target’s cybersecurity posture and inflict a sense of “fatigue” regarding these MFA prompts.

Detections

Name Technique Type
Okta Account Locked Out Brute Force Anomaly
Okta MFA Exhaustion Hunt Brute Force Hunting
Okta Mismatch Between Source and Response for Verify Push Request Multi-Factor Authentication Request Generation TTP
Okta Risk Threshold Exceeded Valid Accounts, Brute Force Correlation
Okta Two or More Rejected Okta Pushes Brute Force TTP

Reference

source | version: 1