How to avoid multi-factor authentication prompt bombing cyber attacks

Imagine you’re driving to work and you get a notification on your phone saying that someone is trying to log into one of your Square or PayPal accounts.

If your attention is elsewhere, there’s a high chance you might click “Yes” or “Approve” under the impression that one of your colleagues is trying to log in.

But what if the login notification isn’t coming from a coworker, but from a hacker trying to find a backdoor into your business?

This is an example of multi-factor authentication prompt bombing – a new type of attack that uses multi-factor authentication to break through your business’s security.

A young woman sitting on a stool looking at her smart phone

What is multi-factor authentication?

If you’ve ever looked into cybersecurity for your business, you’re probably already aware of multi-factor authentication (otherwise known as MFA).

If not, it’s a simple safety measure you can use on your account logins to add an extra layer of protection against hackers and cyber criminals.

It typically works by sending a one-time code to your phone or chosen MFA app when you try to log into an account, which is then used alongside your password to log in.

MFA is capable of preventing 99.9 per cent of account compromise attacks according to Microsoft – the problem is that cyber criminals have found ways to use MFA in a new type of cyber attack called MFA prompt bombing.

MFA prompt bombing attacks use deception and trickery to fool users into accepting an MFA request, which hackers can then use to illegitimately log into your workplace accounts, such as Google, Microsoft Teams or other apps.

The new MFA prompt bombing attack is highly dangerous for business owners, as it targets you and your workers in ways that you’d least expect.

How does MFA prompt bombing work?

MFA prompt bombing is a cyber attack that leverages multi-factor authentication, such as SMS, email and MFA apps, to trick you into giving a hacker access to your account.

To perform the attack, a hacker will repeatedly send MFA requests to your device with the hope of eventually tricking you into approving one.

The reason that MFA prompt bombing is so strong is most users think the MFA request is legitimate, and approve it without a second thought.

For example, you might get a notification on your phone saying that someone is trying to log in to your Google account.
Google will ask you “Yes” or “No” to the sign-in request, so if a hacker is trying to break into your account, you have the chance to stop them in their tracks by clicking “No”.

However, as most business owners know, it can be difficult to give your full attention to every alert that pops up on your phone.

If you’re in the middle of some important accounting work, or are simply getting the kids ready for school, there’s a chance you’ll just press “Yes” under the impression that the login request is coming from a colleague.

The problem is that after you approve just one fake MFA request, the hacker is already in the account and able to, at a minimum, access your sensitive business data.

In the worst-case scenario, they can use the account to unleash further damage, such as a business email compromise attack.

Prompt bombing attacks can happen at any time of the day, and work best when they catch you off guard.

Hackers will often send more than just one MFA request – in fact, they’ll send dozens upon dozens with the hope you eventually click just one.

As such, they can come through at the most inopportune of times – whether you’re rushing to the office or have just sat down in an important meeting. They can even come through while you’re sleeping, piling up and hoping to catch you off guard before the day has even started.

Thankfully, there are a number of requirements the hacker needs before they can try to prompt bomb your accounts.

Firstly, the hacker needs to have already taken your username and password from a separate incident, such as phishing or keylogging.

Furthermore, this particular method of attack is reliant on one-time MFA links or “prompts” that approve a login request upon being tapped. Its success depends on the victim eventually clicking a link either by accident or out of sheer confusion and frustration.

Unfortunately, if the user clicks the MFA link just once during a prompt bombing attack, the cyber criminals’ login attempts are authenticated and they can then gain full access to the compromised account.

How common is MFA prompt bombing?

MFA prompt bombing is more common than you might think and has been used for some of the most well-known data breaches over the last year. The major software company, SolarWinds, suffered an attack on its 18,000 customers at the hands of a Russian espionage group using MFA prompt bombing.

And in March 2022, Microsoft had a massive source-code leak from hackers using the same technique. While prompt bombing may seem like a simple technique, it’s highly effective even against some of the most advanced tech companies of today.

The group behind this particular hack, Lapsus$, has been quoted as saying, 'No limit is placed on the amount of calls that can be made. Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.'

Small business owners may find themselves at increased risk of prompt bombing, as employees often have less knowledge of cyber safety.

How can you prevent MFA prompt bombing?

  • Never click Accept: The first step to avoiding MFA prompt bombing is to never click 'Accept' or 'Approve login'. Unless you know that a colleague tried to log in, it’s best to ignore or close the MFA request to prevent a potential attack.
  • Change your password: If you are getting unapproved MFA notifications on your phone, it probably means that your password(s) have been stolen. Change your password for any affected accounts, and on any platforms that use the same stolen password. If the issue continues after this, it might mean the attacker has found a way to repeatedly steal your login information. In that case, seek professional advice from an IT expert to determine how your login details may have been compromised.
  • Check if your platform supports Geographical Login Restrictions: Depending on the app you are using, you may be able to stop login attempts unless they come from an approved location, such as your office or the homes of your colleagues. This means that if a hacker attempts to log in from an offshore or unapproved network, they will automatically be denied access regardless of the password or MFA details they try to use. Geographical Login Restrictions are particularly helpful when used alongside a VPN, which is an essential tool in today’s age of remote working.
  • Change MFA method: If you are using prompt-based MFA such as in the picture above, consider changing to code-based MFA instead. This way, even if a hacker attempts to MFA prompt bomb you, they will not be able to log in without you sending them an MFA code directly. This is far less likely to happen, and as such, one-time codes are often much safer than link-based or prompt-based or MFA requests.

In conclusion, MFA prompt bombing is an alarmingly popular attack method that all business owners should be aware of. Discuss this attack type with your colleagues, and take the above tips into consideration every time you receive an MFA request.