This content is viewable by Everyone

Feb 2023: MFA (DUO) Fatigue Attacks Target High-Profile Orgs - Do not approve authentication requests for logins you did not initiate!

Threat Alert: What to Watch For

  • Numerous high-profile organizations including UCSF have recently fallen victim to what are known as “multi-factor authentication (MFA) fatigue attacks” or “MFA prompt bombing.”
  • In these attacks, a threat actor uses a set of compromised credentials to repeatedly attempt to log into an account that is protected via a certain type of MFA technology.
  • Each login attempt generates a multi-factor approval request that is delivered to the account owner (often via a mobile phone). The account owner must then either approve or deny the request.
  • The attackers hope that the recipient will tire of (or become “fatigued” by) the repeated requests and eventually approve the login, giving the attacker access to the account.
  • In some cases, an attacker might even impersonate IT support staff and contact an account owner directly (by phone, email, or a messaging app) to encourage them to accept a request.
  • Depending on the account they gain access to, the attacker could leverage that initial access to further compromise an individual or an organization.

Key Actions: How to Handle Suspicious Authentication Requests

  • If you receive any authentication request for a login that you did not initiate, do not approve it.  
  • For work-related accounts and systems, report suspicious approval requests to the UCSF Service Desk. Be sure to note if you have received multiple login requests over a short period of time as this is an indication of an MFA fatigue attack.
    • UCSF IT Service Desk
    • Main: 415-514-4100
    • BCH Oakland: 510-428-3885 x4357
    • http://help.ucsf.edu/  
  • Change your account password if you receive an unusual MFA (DUO) request. Most authentication requests occur after login credentials (usually a username and password) are entered. So, if you receive one or more unexpected MFA approval requests for an account, it’s a sign that your login credentials were previously compromised and obtained by an attacker.   
  • If you believe you accidentally approved a suspicious MFA request, alert the Service Desk ASAP.

MFA remains a valuable account protection tool, and we recommend you always opt into MFA on personal accounts when available. Our organization currently uses DUO for internal accounts and systems. If you have a choice on your personal accounts, we suggest using those tools there as well. 

But keep in mind that MFA is not a failsafe. Attackers continue to seek opportunities to bypass and compromise MFA protections. If you’re concerned one of your work accounts has been compromised, please contact us as soon as possible. We’re here to help.