The growing popularity of multi-factor authentication has prompted more threat actors to leverage the social engineering technique dubbed 'MFA Fatigue', which could facilitate successful attacks even without malware or phishing infrastructure, according to BleepingComputer
Attackers using MFA Fatigue have been running scripts attempting to repeatedly infiltrate accounts using stolen credentials as they seek to inflict MFA prompt fatigue among their targets. Continuous MFA notifications will be deployed by threat actors, who will then impersonate IT support in emails, chats, and calls in an effort to lure targets into accepting the prompt. Such a technique has been successfully leveraged by the Yanluowang and Lapsuss$ threat groups in attacks
against Uber, Microsoft, and Cisco, BleepingComputer notes.
Employees targeted by such an attack have been urged to reject the MFA request and enlist the assistance of their organizations' IT admins, IT departments, and supervisors. Changing account passwords would also deter future delivery of MFA spam.