Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
Adversaries in possession credentials to Valid Accounts may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.
In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1621 | Multi-Factor Authentication Request Generation |
| AC-6 | Least Privilege | Protects | T1621 | Multi-Factor Authentication Request Generation |
| CM-5 | Access Restriction for Change | Protects | T1621 | Multi-Factor Authentication Request Generation |
| IA-2 | Identification and Authentication (Organizational Users) | Protects | T1621 | Multi-Factor Authentication Request Generation |
| IA-3 | Device Identification and Authentication | Protects | T1621 | Multi-Factor Authentication Request Generation |
| IA-5 | Authenticator Management | Protects | T1621 | Multi-Factor Authentication Request Generation |