MFA Fatigue Attack Simulation

Push Spam • Social Engineering • Akira Ransomware

Blue TeamMFA SecurityAkira RansomwareInteractive

Akira Ransomware: MFA Fatigue Attacks (2025)

Throughout 2025, the Akira ransomware group weaponized MFA push-spam to bypass multi-factor authentication protections.

•Attack Method: Bombard users with 50-100 MFA push notifications until they approve
•Success Rate: 15-20% of users eventually approve after 30+ prompts
•Impact: Government agencies in Canada compromised via third-party MFA exploitation
•Result: Once approved, attackers gain full access to corporate networks and deploy ransomware

What is MFA Fatigue?

MFA Fatigue (also called "Push Bombing" or "MFA Spam") exploits the human weakness, not the technology. Attackers who already have valid credentials (from phishing, password reuse, breaches) repeatedly trigger MFA push notifications to annoy users into approving.

Attack Scenario:

Attacker obtains credentials

Via phishing, credential stuffing, or data breach

Login attempts trigger MFA pushes

User's phone receives 50-100 push notifications in 10 minutes

User gets exhausted/confused

"Maybe I accidentally triggered this?" or "Make it stop!"

User approves to stop spam

Attacker gains access to corporate network

Why MFA Fatigue Works (Human Psychology)

Cognitive Overload

50+ notifications overwhelm decision-making. Users stop thinking critically and just want to "make it stop."

Self-Doubt

"Did I accidentally trigger this by trying to log in? Maybe I should approve to fix my mistake."

Interruption Fatigue

Notifications during work, meetings, or sleep disrupt productivity. Users approve just to continue their day.

Authority Confusion

Some attackers call the user pretending to be IT support: "We need you to approve these MFA prompts for a security update."

Detection & Prevention

1. Rate Limiting & Throttling

Limit MFA push attempts per user per time period.

Rule: Max 3 MFA pushes per 5 minutes

Action: Lock account for 15 min after 3 denials

Alert: Notify security team + user via email

2. Number Matching (Best Defense)

Instead of "Approve/Deny", show a number in the login screen that user must type into their phone.

❌ Old MFA:

"Approve this login?" [Yes] [No]

✓ Number Match:

"Enter the number: 73" [___]

User must see the login screen to get the number → can't approve blindly

3. Context-Aware MFA

Show user details about the login attempt (location, device, time).

MFA notification should show:

• Location: "Moscow, Russia" (user is in New York → suspicious)
• Device: "Windows PC" (user uses Mac → suspicious)
• Time: "3:00 AM local time" (user doesn't work nights → suspicious)

4. Behavioral Analytics

Use ML to detect anomalous patterns.

Pattern: 50 MFA pushes in 10 minutes → auto-block

Pattern: User never logs in at 3 AM → flag as suspicious

Pattern: Login from new country → require additional verification

User Awareness Training

What Users Should Do:

Never approve unexpected MFA prompts
Check location/device info before approving
Report suspicious MFA spam to security team immediately
Change password if MFA spam occurs (credentials may be compromised)

What Users Should NOT Do:

Don't approve to "make it stop"
Don't assume it's a mistake and approve
Don't ignore repeated prompts - report them!
Don't trust callers claiming to be IT asking you to approve

SIEM Correlation Rules

Rule 1: MFA Push Spam Detection

IF user.mfa_pushes_sent > 10 within 5_minutes

AND user.mfa_approvals = 0

THEN alert("MFA Fatigue Attack Detected")

AND lock_account(user, duration="15min")

AND notify(security_team, user)

Rule 2: Suspicious Approval After Spam

IF user.mfa_pushes_denied > 5

AND user.mfa_approved = 1 within 30_seconds

THEN alert("Potential MFA Fatigue Success")

AND force_password_reset(user)

AND kill_all_sessions(user)

Rule 3: Anomalous Login Patterns

IF login.country NOT IN user.typical_countries

AND login.time NOT IN user.typical_hours

AND mfa_pushes > 3

THEN require_additional_verification()

AND alert(security_analyst)

Setup

Attacking

Defending

🔴 Attack Configuration

Number of Push Notifications: 50

Attack Speed:

One push every second

🔵 Defense Configuration

SIEM Detection

Alert on 10+ pushes

Number Matching

Require number entry

Rate Limiting

Lock after 3 attempts