Multifactor authentication (MFA) has emerged as a barrier against unauthorized access, but it’s not a silver bullet. Attacker are constantly using their creativity to try and bypass MFA. The Cisco Talos team unveiled several current methods to help organizations understand these bypass attempts.

The latest Cisco Talos report showed nearly half of all security incidents the team responded to in the first quarter of 2024 involved MFA. In 25% of these engagements, users fell victim to fraudulent MFA push notifications. Another 21% were compromised due to improper MFA implementation.

Analyzing push spray attacks Cisco Talos noted the most common MFA bypass attempt type is MFA push attacks where attackers have acquired a user’s password and repeatedly send the target push notifications, hoping they will accept.

Data from Cisco Duo’s AI and Security Research team from 15,000 cataloged push-based attacks from June 2023 to May 2024 showed most of these attacks aren’t successful, for example, they are ignored or reported.

However, 5% of sent push attacks were accepted by users and it didn’t take many attempts to persuade these victims. Most of these users received between one and five push requests before conceding, though a small subset was “bombarded” with 20-50 attempts.

The analysis also sheds light on attack timing. Most fraudulent push attempts occurred between 10:00 and 16:00 UTC, which is slightly ahead of U.S. working hours.

“This indicates that attackers are sending push notifications as people are logging on in the morning, or during actual work hours – presumably hoping that the notifications are in the context of their usual working day, and therefore less likely to be flagged,” the team wrote in a blog post.

Cisco Talos reveals diverse MFA bypass methods Beyond push-based attacks, attackers “have got a bit creative” to bypass MFA. Cisco Talos Incident Response team listed several methods beyond the traditional push-spray attacks, including the following:

  1. Stealing authentication tokens from employees and then replay session tokens to gain lateral access within networks.
  2. Social engineering IT departments to add new MFA-enabled devices using the attacker’s device.
  3. Compromising contractors and changing their phone numbers so attackers can access MFA on their own devices.
  4. Compromising a single endpoint and logging into the MFA software to deactivate it as an admin.
  5. Compromising an employee to click “allow” on an MFA push from the attackers, which is also known as one type of insider attack.
These methods “don’t solely rely on MFA weaknesses – social engineering, moving laterally across the network, and creating admin access involves several steps where red flags can be spotted or ultimately prevented,” the team wrote.

“Therefore, taking a holistic view of how an attacker might use MFA or social engineer their access to it is important,” they added.