{"id":5456,"date":"2022-09-22T21:23:45","date_gmt":"2022-09-22T19:23:45","guid":{"rendered":"https:\/\/jeffreyappel.nl\/?p=5456"},"modified":"2023-07-27T23:14:43","modified_gmt":"2023-07-27T21:14:43","slug":"how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection","status":"publish","type":"post","link":"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/","title":{"rendered":"How to mitigate MFA fatigue and learn from the Uber breach for additional protection"},"content":{"rendered":"\n<p>Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. With the rise of more default protection with the use of multi-factor authentication the MFA Fatigue technique is rising. <\/p>\n\n\n\n<p>In the past months, multiple large enterprises are breached &#8211; in all cases the attacks start with social engineering and stolen\/ captured employee login credentials to access VPNs and the internal network. <\/p>\n\n\n\n<p>Note: Blog is written based on Microsoft technology &#8211; no other toolings\/ products are evaluated outside the Microsoft product stack. All is written based on my own opinion. <\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong><strong>Blog information: <br><\/strong><br><\/strong>Blog published: September 22, 2022<br>Blog latest updated: September 22, 2022<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Attack story timeline<\/h2>\n\n\n\n<p>Let&#8217;s simulate the general attack story with Uber as an example. NOTE: Not all details are shared from the Uber breach. Use Twitter for finding some more screenshots\/ detailed information. Uber is only added as an example. Multiple companies are breached recently using the same technique and steps. MFA fatigue received more notice because of breaches against companies like Uber, Cisco, Twitter, and Okta. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 1: Stolen credentials<\/h2>\n\n\n\n<p>It all starts with stolen credentials. It is far from difficult to get stolen credentials, which can be collected using phishing attacks, malware, or collected via data breaches. On dark web marketplaces, credentials can be purchased for various types of companies and large enterprises. With some hours of research it is simple to find the resources on the dark web where passwords can be purchased. And yes &#8211; also for the larger enterprises. <\/p>\n\n\n\n<p>Hopefully, all companies are protected at least with MFA which makes the initial abuse a little harder. Currently reading this blog and no MFA configured &#8211; please enable it asap and don&#8217;t wait before the organization is breached for the first time. Without MFA it is only a matter of time until things go wrong.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 2: MFA bypass\/ Social engineering<\/h2>\n\n\n\n<p>Companies are currently heavily adopting multi-factor authentication to protect users to access threat actors without any additional verification. Multiple methods are available to bypass multi-factor authentication:<\/p>\n\n\n\n<ul>\n<li>Stealing cookies via malware<\/li>\n\n\n\n<li>man-in-the-middle phishing Attacks ( Evilginx2)<\/li>\n<\/ul>\n\n\n\n<p>Social engineering can be used. A technique called &#8216;MFA Fatigue, MFA push spam&#8217; is rising and a new common technique for breaching into corporate networks. For MFA Fatigue no additional infrastructure or malware is required.  More in-depth information later in this blog.<\/p>\n\n\n\n<p><em>Example Uber: <\/em><\/p>\n\n\n\n<p>A good example is the recent Uber breach; where the attacker used stolen\/purchased credentials and spammed the user with many push authentication prompts for one hour. After one hour the attacker contacted the user and claimed to be from Uber IT with the message; if he wants to stop he must accept it. Finally, the employee approves the MFA and the attacker added a new device. <\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/pbs.twimg.com\/media\/FcxPrr3WQAEShcs?format=png&amp;name=medium\" alt=\"Image\"\/><\/figure>\n\n\n\n<p>Image source:<a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1570717994397073410\/photo\/1\"> Kevin Beaumont (Twitter)<\/a><\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>The attacker then repeatedly tried to log in to the contractor\u2019s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.<\/p>\n<cite><a href=\"https:\/\/www.uber.com\/newsroom\/security-update\">Uber Newsroom<\/a><\/cite><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Step 3: Access internal sources\/ Cloud sources<\/h2>\n\n\n\n<p>When there is access with one of the MFA methods &#8211;  there is a phase where the attacker is searching for internal sources which can be used for getting more sources. <\/p>\n\n\n\n<p><strong>For cloud-only environments: <\/strong>(Ideas for getting more access) <\/p>\n\n\n\n<ul>\n<li>Validate of Okta is used<\/li>\n\n\n\n<li>Check for Privileged Identity Toolings<\/li>\n\n\n\n<li>Additional connected applications ( password toolings\/ key-saves) <\/li>\n<\/ul>\n\n\n\n<p><strong>For on-premises environments:<\/strong> (Ideas for getting more access) <\/p>\n\n\n\n<ul>\n<li>Connect with VPN<\/li>\n\n\n\n<li>Sometimes Sharepoint or other intranet software will be used for scanning VPN\/ Remote access manuals<\/li>\n<\/ul>\n\n\n\n<p>When the VPN can be activated with the collected account &#8211; the attacker can discover more and scan the complete intranet. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 4: Discovery of the network<\/h2>\n\n\n\n<p>Step 4 is the initial discovery of the network. When there is access to cloud resources and on-premises intranet resources the discovery can start; searching for scripts\/ passwords and additional credentials which results in access to other toolings. <\/p>\n\n\n\n<p><em>Example Uber<\/em>:<\/p>\n\n\n\n<p>The existing VPN access is used for pivot to the internal network. The internal network is often significantly less audited and evaluated in compared to external infrastructures. In comparison with Azure; there are in the cloud more built-in protection toolings. In all cases don&#8217;t trust the defaults and audit each possible way of access to internal\/ external or cloud environments. <\/p>\n\n\n\n<p>During the discovery, the attacker found an internal network share where scripts with privileged credentials were published. One of the PowerShell scripts contained the username and password for a Privilege Access Management (PAM) tooling (Thycotic) which results in access to other useful resources ( Duo, Onelogin, Slack, EDR portal (SentinelOne), AWS, GSuite, and many more). <\/p>\n\n\n\n<p>Some of the apps can require MFA again &#8211; where the attacker registered a new phone &#8211; so the authentication can be easily approved without the employee. <\/p>\n\n\n\n<p>Security Update for Uber can be found here; <a href=\"https:\/\/www.uber.com\/newsroom\/security-update\">Security update &#8211; Uber.com<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Summarize in MITRE ATT&amp;CK framework<\/h2>\n\n\n\n<p>The Uber breach mapped together with MITRE ATT&amp;CK framework:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Component<\/th><th>Item<\/th><th>MITE ATT&amp;CK<\/th><\/tr><\/thead><tbody><tr><td>Credential Access<\/td><td>2FA\/ MFA spamming<\/td><td>T1621: MFA Authentication Request<\/td><\/tr><tr><td>Initial Access<\/td><td>Used Whatsapp for pushing user to get MFA request approved<\/td><td>T1566.003: Spearphishing via Service<\/td><\/tr><tr><td>Initial Access<\/td><td>VPN access via credentials<\/td><td>T1078: Valid account<\/td><\/tr><tr><td>Recon<\/td><td>Scanning infrastructure<\/td><td>T1135: Scanning Uber Infrastructure<\/td><\/tr><tr><td>Privileged Escalation<\/td><td>Founded cleartext credentials in PowerShell scripts<\/td><td>T1552.001: Credential in Files<\/td><\/tr><tr><td>Privileged Escalation<\/td><td>Access to PAM solution with founded cleartext credentials<\/td><td>T1078.00 Domain Account<\/td><\/tr><tr><td>Data Exfiltration<\/td><td>Access to number of apps\/ infra\/ internal data<\/td><td>T1048: Exfiltration over Alternative Protocol<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Useful source including visual with all MITRE ATT&amp;CK mappings and the order of steps. <a href=\"https:\/\/twitter.com\/MichalKoczwara\/status\/1571432800787759104\/photo\/1\">Twitter<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">What is MFA Fatigue<\/h2>\n\n\n\n<p>MFA Fatigue (<a href=\"https:\/\/attack.mitre.org\/techniques\/T1621\/\">Mitre ATT&amp;CK T1612<\/a>) is not new and used by many hacker groups. Example; Lapsus$ and Cozy Bear. MFA Fatigue is rising and used more often to gain access to corporate credentials and breach networks where MFA fatigue is now part of the mainstream toolbox. <\/p>\n\n\n\n<p>MFA fatigue refers to&nbsp;the overload of prompts the victim would receive via MFA applications.&nbsp;The technique works when the threat actor already has credentials for a targeted account. Phishing, brute forcing, data breach, password spraying, dark web and many more techniques can be used to get the initial credentials. <\/p>\n\n\n\n<p>Once the credentials are available the threat actor starts requesting approval for sign-in for the MFA application. With the goal &#8211; of overloading the amount of MFA prompts and wait before the user approved the request. When the user does not approve the initial MFA notifications &#8211; social engineering can be used to message the user, and ask via e-mail\/ Teams or WhatsApp for approving the MFA request imposed as an IT support employee\/ IT administrator. <\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Protect against stolen credentials<\/h2>\n\n\n\n<p>There are multiple products available for protecting passwords and scanning for stolen compromised passwords. <\/p>\n\n\n\n<p>First some basics;<\/p>\n\n\n\n<ul>\n<li>Don&#8217;t forget to enable a Strong Password Policy across all systems and applications. When attackers cannot guess your strong password, they cannot send you multiple MFA requests.<\/li>\n\n\n\n<li>Disable Legacy Authentication<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Azure AD Password Protection<\/h3>\n\n\n\n<p>Azure AD Password Protection supports different protections. Azure AD Password Protection can be used to prevent users from picking poor\/easily guessable\/compromises passwords.  <\/p>\n\n\n\n<p>Microsoft maintains a global banned password list with stored passwords which are too common. This list is for safety reasons not published, in Azure AD Password Protection it is possible to add custom banned passwords. <\/p>\n\n\n\n<p>For the feature make sure the following licenses are needed:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>User type<\/th><th>Azure AD Password Protection with global banned password list<\/th><th>Azure AD Password Protection with custom banned password list<\/th><\/tr><\/thead><tbody><tr><td>Cloud-only users<\/td><td>Azure AD Free<\/td><td>Azure AD Premium P1 or P2<\/td><\/tr><tr><td>Users synchronized from on-premises AD DS<\/td><td>Azure AD Premium P1 or P2<\/td><td>Azure AD Premium P1 or P2<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Azure AD Password Protection is already enabled for cloud users using the global password list, and it can&#8217;t be disabled. The configuration lockout and custom password list can be configured here: &nbsp;Azure Portal -&gt; Azure AD -&gt; Security -&gt; Authentication methods -&gt; Password protection<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"470\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-75-1024x470.png\" alt=\"\" class=\"wp-image-5461\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-75-1024x470.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-75-300x138.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-75-768x352.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-75-1536x704.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-75-2048x939.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-75-585x268.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>For on-premises accounts, the following instructions can be applied: <a href=\"http:\/\/Enforce on-premises Azure AD Password Protection for Active Directory Domain Services\">Enforce on-premises Azure AD Password Protection for Active Directory Domain Services<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Identity Protection<\/h3>\n\n\n\n<p>Azure AD Identity Protection P2 can be used for detecting leaked credentials via user risk detections. <\/p>\n\n\n\n<p>Microsoft finds leaked credentials in various places, including:<\/p>\n\n\n\n<ul>\n<li>Public paste sites such as pastebin.com and paste.ca where bad actors typically post such material. This location is most bad actors&#8217; first stop on their hunt to find stolen credentials.<\/li>\n\n\n\n<li>Law enforcement agencies.<\/li>\n\n\n\n<li>Other groups at Microsoft doing dark web research<\/li>\n<\/ul>\n\n\n\n<p>User risks are calculated offline by Microsoft&#8217;s internal and external threat intelligence sources. Matches in the leaked credentials services will be checked against the used credential of the user. <\/p>\n\n\n\n<p>Identity protection can be configured here: &nbsp;Azure Portal -&gt; Azure AD Identity Protection -&gt; User Risk policy<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"442\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-76-1024x442.png\" alt=\"\" class=\"wp-image-5462\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-76-1024x442.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-76-300x130.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-76-768x332.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-76-1536x663.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-76-2048x884.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-76-585x253.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Where the User Risk policy is based on leaked credentials\/ Azure AD threat intelligence it is recommended to configure both User Risk and Sign-in Risk. Sign-in Risk is useful for detection attempts where the request isn&#8217;t authorized by the identity owner which can be detected in later stages of the MFA fatigue attack. <\/p>\n\n\n\n<ul>\n<li>Atypical travel<\/li>\n\n\n\n<li>Anomalous Token<\/li>\n\n\n\n<li>Token Issuer Anomaly<\/li>\n\n\n\n<li>Malware linked IP address<\/li>\n\n\n\n<li>Suspicious browser<\/li>\n\n\n\n<li>Unfamiliar sign-in properties<\/li>\n\n\n\n<li>Malicious IP address<\/li>\n\n\n\n<li>Suspicious inbox manipulation rules<\/li>\n\n\n\n<li>Password spray<\/li>\n\n\n\n<li>Impossible travel<\/li>\n\n\n\n<li>New country<\/li>\n\n\n\n<li>Activity from anonymous IP address<\/li>\n\n\n\n<li>Suspicious inbox forwarding<\/li>\n\n\n\n<li>Mass Access to Senstive Files<\/li>\n<\/ul>\n\n\n\n<p>Explanation of risk detections: <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/identity-protection\/concept-identity-protection-risks\">What is risk? | Azure AD Identity Protection<\/a><\/p>\n\n\n\n<p><strong>Configure risk policies\/ automated response<\/strong><\/p>\n\n\n\n<p>Automated remediation actions can be configured using <strong>Azure AD Identity Protections policies<\/strong> or with the use of Conditional Access and the conditions <strong>User risk level<\/strong> and <strong>Sign-in risk level<\/strong>. <\/p>\n\n\n\n<p>Note: Azure AD P2 required<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"505\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-83-1024x505.png\" alt=\"\" class=\"wp-image-5476\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-83-1024x505.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-83-300x148.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-83-768x379.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-83-1536x757.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-83-585x288.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-83.png 1678w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Microsoft&#8217;s recommendation is to set the user risk policy threshold to&nbsp;<strong>High<\/strong>&nbsp;and the sign-in risk policy to&nbsp;<strong>Medium and above<\/strong>. It excludes Low and Medium risk detection from the policy, which may not block an attacker when the risk is detected as low. Selecting low gives more user impact. <\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table><thead><tr><th>Policy<\/th><th>Available remediation controls<\/th><\/tr><\/thead><tbody><tr><td>User risk policy<\/td><td>&#8211; Block access<br>&#8211; Allow access (require password change)<\/td><\/tr><tr><td>Sign-in risk policy<\/td><td>&#8211; Block access<br>&#8211; Allow Access ( require multifactor authentication)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Enable additional MFA controls<\/h2>\n\n\n\n<p>Additional MFA controls can be configured for the Microsoft Authentication method. The additional enhanced settings are the way to mitigate MFA fatigue when using push notifications. <\/p>\n\n\n\n<p>Important to configure the following additional settings:<\/p>\n\n\n\n<ul>\n<li>Require number matching for push notifications<\/li>\n\n\n\n<li>Show application name in push and passwordless notification<\/li>\n\n\n\n<li>Show geographic location in push and passwordless authentication<\/li>\n<\/ul>\n\n\n\n<ol>\n<li>Go to Azure&nbsp;<strong>Active Directory<\/strong>&nbsp;-&gt;&nbsp;<strong>Security<\/strong>&nbsp;-&gt;&nbsp;<strong>Authentication Methods<\/strong><\/li>\n\n\n\n<li>Within the blade&nbsp;<strong>Authentication methods<\/strong>&nbsp;click on&nbsp;<strong>Policies&nbsp;<\/strong>and select&nbsp;<strong>Microsoft Authenticator<\/strong><\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"284\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-74-1024x284.png\" alt=\"\" class=\"wp-image-5460\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-74-1024x284.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-74-300x83.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-74-768x213.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-74-1536x425.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-74-2048x567.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-74-585x162.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Require number matching for push notifications<\/h3>\n\n\n\n<p>Number matching is currently in public preview. Microsoft gives the&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/how-to-mfa-number-match\">following explanations<\/a>&nbsp;and marks the feature as a key&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/how-to-mfa-number-match\">security upgrade<\/a>&nbsp;to traditional second-factor notifications in the Microsoft Authentication app.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p><em>Number matching is a key security upgrade to traditional second-factor notifications in the Microsoft Authenticator app that will be enabled by default for all tenants a few months after general availability (GA). We highly recommend enabling number matching in the near-term for improved sign-in security.<\/em><\/p>\n<cite>Microsoft<\/cite><\/blockquote>\n\n\n\n<p>Number matching gives improvements against MFA fatigue and will increase the security posture of MFA Authentication prompts. When a user responds to an MFA push notification using Microsoft Authentication App, they will be presented with a number. The user needs to type that number into the app to complete the approval. Attackers don\u2019t have access to the device\/app where the code needs to be filled in. For the attacker the code is visible; only the code needs to be added manually in the app itself for completing the MFA request.<\/p>\n\n\n\n<p>To enable number matching in the Azure AD portal, complete the following steps:<\/p>\n\n\n\n<ol>\n<li>Go to Azure&nbsp;<strong>Active Directory<\/strong>&nbsp;-&gt;&nbsp;<strong>Security<\/strong>&nbsp;-&gt;&nbsp;<strong>Authentication Methods<\/strong><\/li>\n\n\n\n<li>Within the blade&nbsp;<strong>Authentication methods<\/strong>&nbsp;click on&nbsp;<strong>Policies&nbsp;<\/strong>and select&nbsp;<strong>Microsoft Authenticator<\/strong><\/li>\n\n\n\n<li>Select <strong>Configure<\/strong><\/li>\n<\/ol>\n\n\n\n<p>Configure the control; <strong>Require number matching for push notifications (preview)<\/strong> and<strong> <\/strong>configure status to <strong>Enabled. <\/strong>Target <strong>All users<\/strong> or specific <strong>AzureAD <\/strong>groups.  <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"429\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-71-1024x429.png\" alt=\"\" class=\"wp-image-5457\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-71-1024x429.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-71-300x126.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-71-768x322.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-71-1536x644.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-71-585x245.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-71.png 2012w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Show application name in push and passwordless notification<\/h3>\n\n\n\n<p>Another improvement for the security posture is the enablement of the application name in notifications. When enabled the MFA prompt shows the end-user which application is performing the MFA request. <em>OfficeHome for office.com<\/em><\/p>\n\n\n\n<p>Configure the control; <strong>Show application name in push and passwordless notifications (Preview)<\/strong> and<strong> <\/strong>configure status to <strong>Enabled. <\/strong>Target <strong>All users<\/strong> or specific <strong>AzureAD <\/strong>groups.  <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"407\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-72-1024x407.png\" alt=\"\" class=\"wp-image-5458\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-72-1024x407.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-72-300x119.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-72-768x305.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-72-1536x611.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-72-2048x814.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-72-585x233.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Show geographic location in push and passwordless notifications<\/h3>\n\n\n\n<p>Show geographic location shows the geo-location ( based on IP) directly during the request. It is not always correct (VPN can be used). <\/p>\n\n\n\n<p>Configure the control; <strong>Show geographic location in push and passwordless notifications (Preview)<\/strong> and<strong> <\/strong>configure status to <strong>Enabled. <\/strong>Target <strong>All users<\/strong> or specific <strong>AzureAD <\/strong>groups.  <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"383\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-73-1024x383.png\" alt=\"\" class=\"wp-image-5459\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-73-1024x383.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-73-300x112.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-73-768x287.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-73-1536x575.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-73-2048x767.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-73-585x219.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Result<\/h3>\n\n\n\n<p><strong>Perform multiple attempts:<\/strong> viewed from the browser-session of the attacker. <\/p>\n\n\n\n<figure class=\"wp-block-video\"><video controls src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/2022-09-22_19-49-24.mp4\"><\/video><\/figure>\n\n\n\n<p><strong>Normal MFA prompt without additional MFA controls:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"571\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-78-1024x571.png\" alt=\"\" class=\"wp-image-5470\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-78-1024x571.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-78-300x167.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-78-768x428.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-78-1536x856.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-78-2048x1141.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-78-585x326.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>MFA prompt included above additional (preview) controls:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"639\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80-1024x639.png\" alt=\"\" class=\"wp-image-5472\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80-1024x639.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80-300x187.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80-768x479.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80-1536x958.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80-2048x1278.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80-585x365.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">MFA Lockout option &#8211; is it protecting? -&gt; No <\/h3>\n\n\n\n<p>Currently, there are many recommendations online for enabling MFA account lockout for failed MFA attempts in Azure against MFA spamming. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"643\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-77-1024x643.png\" alt=\"\" class=\"wp-image-5466\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-77-1024x643.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-77-300x188.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-77-768x482.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-77-420x265.png 420w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-77-585x367.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-77.png 1187w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The MFA Lockout option is not protecting against MFA fatigue. MFA Account Lockout works only for MFA server, which is currently a legacy product and not supported anymore. More information: <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/howto-mfa-mfasettings\">Configure Azure AD Multi-Factor Authentication &#8211; Azure Active Directory &#8211; Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Conditional Access \/ Compliant device<\/h3>\n\n\n\n<p>Additional configurations in Conditional Access can definitely help with some more strict Conditional Access configurations. Conditional Access can be useful when restricting only specific locations to sign in or use the compliant device control for allowing only access from compliant devices. <\/p>\n\n\n\n<p>See the AiTM blog for more in-depth Conditional Access protections: <a>Protect against AiTM\/ MFA phishing attacks using Microsoft technology<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">FIDO2 authentication methods<\/h3>\n\n\n\n<p>Consider passwordless methods as an alternative to notification-based MFA. FIDO\/ FIDO2 is configured to resist &#8220;man in the middle attacks&#8221;\/ &#8220;MFA-spamming&#8221;. <\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Hunting in Sentinel\/ Log Analytics<\/h2>\n\n\n\n<p>Currently, there is no built-in alert in AzureAD\/ Defender or Sentinel for detecting MFA prompt attempts. With the usage of audit logs, KQL can be used for hunting for MFA abuse attempts. <\/p>\n\n\n\n<p>SigninLogs contains all needed events. Can be connected using the Azure Active Directory &#8211; Signin logs connector in Sentinel. <\/p>\n\n\n\n<p>Tip: No budget\/ option for Sentinel? Events can be streamed via Azure AD Diagnostic Settings to Log Analytics workspace. On top of the Log Analytics workspace KQL can be used. <\/p>\n\n\n\n<p>Go to <strong>Azure AD<\/strong> -&gt; <strong>Diagnostic Settings<\/strong> and add a new diagnostic setting. Select the logs and destination <strong>Log Analytics workspace<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"588\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-84-1024x588.png\" alt=\"\" class=\"wp-image-5477\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-84-1024x588.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-84-300x172.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-84-768x441.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-84-1536x882.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-84-585x336.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-84.png 1654w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>KQL: MFA status denied by the user<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SigninLogs \n| where ResultType == 500121 \n| where Status has \"MFA Denied; user declined the authentication\" or Status has \"MFA denied; Phone App Reported Fraud\"<\/code><\/pre>\n\n\n\n<p><strong>KQL: MFA status denied (user did not respond)<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SigninLogs \n| where ResultType == 500121 \n| extend AuthResult = tostring(parse_json(AuthenticationDetails)&#91;1].authenticationStepResultDetail)\n| where AuthResult in (\"MFA denied; user declined the authentication\",\"MFA denied; user did not respond to mobile app notification\")<\/code><\/pre>\n\n\n\n<p>Matt Zorich published interesting queries which can be used for detecting MFA spam activity. Make sure to view the <a href=\"https:\/\/github.com\/reprise99\/Sentinel-Queries\">GitHub source<\/a> for all related Sentinel\/ KQL queries. <\/p>\n\n\n\n<p>Below queries are created by <a href=\"https:\/\/mobile.twitter.com\/reprise_99\">Matt Zorich<\/a>; <\/p>\n\n\n\n<p><strong>Summarize all denies or not responding in one-hour timeframe<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"434\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-81-1024x434.png\" alt=\"\" class=\"wp-image-5474\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-81-1024x434.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-81-300x127.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-81-768x326.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-81-1536x652.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-81-2048x869.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-81-585x248.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The below queries summarizes all authentication request by UserPrincipalName and shows the results when more than 3 failures are generated in an hour timeframe. <\/p>\n\n\n\n<p>KQL query:<\/p>\n\n\n\n<p>Source: <a href=\"https:\/\/github.com\/reprise99\/Sentinel-Queries\/blob\/main\/Azure%20Active%20Directory\/Identity-PotentialMFASpam.kql\">Sentinel-Queries\/Identity-PotentialMFASpam.kql at main \u00b7 reprise99\/Sentinel-Queries (github.com)<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SigninLogs\n| project\n    TimeGenerated,\n    AuthenticationRequirement,\n    AuthenticationDetails,\n    UserPrincipalName,\n    CorrelationId\n| where AuthenticationRequirement == \"multiFactorAuthentication\"\n| extend AuthResult = tostring(parse_json(AuthenticationDetails)&#91;1].authenticationStepResultDetail)\n| where AuthResult in (\"MFA denied; user declined the authentication\",\"MFA denied; user did not respond to mobile app notification\")\n| summarize &#91;'Result Types']=make_list(AuthResult), &#91;'Result Count']=count() by UserPrincipalName, bin(TimeGenerated, 60m)\n\/\/Find hits with greater than 3 failures in an hour\n| where &#91;'Result Count'] &gt; 3<\/code><\/pre>\n\n\n\n<p><strong>Detect when a user denies MFA several times<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"381\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-82-1024x381.png\" alt=\"\" class=\"wp-image-5475\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-82-1024x381.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-82-300x112.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-82-768x286.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-82-1536x572.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-82-2048x763.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-82-585x218.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Useful query when the user denies MFA several times within a single sign-in attempt ( CorrelationId) and then completes the MFA. The below example shows (3 attempts) before the user successfully signed in. <\/p>\n\n\n\n<p>KQL query:<\/p>\n\n\n\n<p>Source: <a href=\"https:\/\/github.com\/reprise99\/Sentinel-Queries\/blob\/main\/Azure%20Active%20Directory\/Identity-PotentialMFASpam.kql\">Sentinel-Queries\/Identity-PotentialMFASpam.kql at main \u00b7 reprise99\/Sentinel-Queries (github.com)<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>let threshold=2;\nSigninLogs\n| project\n    TimeGenerated,\n    AuthenticationRequirement,\n    AuthenticationDetails,\n    UserPrincipalName,\n    CorrelationId\n\/\/Include only authentications that require MFA\n| where AuthenticationRequirement == \"multiFactorAuthentication\"\n\/\/Extend authentication result description\n| extend AuthResult = tostring(parse_json(AuthenticationDetails)&#91;1].authenticationStepResultDetail)\n\/\/Find results that include both denined and completed MFA\n| where AuthResult in (\"MFA completed in Azure AD\", \"MFA denied; user declined the authentication\",\"MFA denied; user did not respond to mobile app notification\")\n\/\/Create a list of completed and denied MFA challenges per correlation id\n| summarize &#91;'Result Types']=make_list(AuthResult) by CorrelationId, UserPrincipalName\n\/\/Ensure the list includes both completed and denied MFA challenges\n| where &#91;'Result Types'] has (\"MFA completed in Azure AD\") and &#91;'Result Types'] has_any (\"MFA denied; user declined the authentication\", \"MFA denied; user did not respond to mobile app notification\")\n| mv-expand &#91;'Result Types'] to typeof(string)\n\/\/Expand and count all the denied challenges and then return CorrelationId's where the MFA denied count is greater or equal to your threshold\n| where &#91;'Result Types'] has_any (\"MFA denied; user declined the authentication\",\"MFA denied; user did not respond to mobile app notification\")\n| summarize &#91;'Denied MFA Count']=count()by &#91;'Result Types'], CorrelationId, UserPrincipalName\n| where &#91;'Denied MFA Count'] &gt;= threshold<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Cybersecurity Awareness<\/h2>\n\n\n\n<p>Educating users is important and part of preventing these types of MFA spamming in combination with some additional technical controls. Before getting any push notification, always think before clicking. With the use of additional context, users can make a better decision of approval is needed. In combination with number matching it gives some sort of mitigation. All there is no golden protection protecting against all forms of MFA fatigue.. <\/p>\n\n\n\n<p>Users must be trained on using Strong Passwords, Phishing, Social Engineering, Social Media Security, etc. <\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Consider passwordless methods as an alternative to notification-based MFA. FIDO2 is configured to resist &#8220;man in the middle attacks&#8221;. Of course there is no golden protection against all forms of social engineering \/ MFA abuse; important to track additional events such as MFA enrollment\/ Device replacement\/ MFA reset or credential resets. <\/p>\n\n\n\n<p>Hopefully, this blog gives some tips\/ hints which can be used. Of course; this is a small set of available security protections which can be used. <\/p>\n\n\n\n<p>Stay safe; follow me on <a href=\"https:\/\/twitter.com\/JeffreyAppel7\">Twitter<\/a> or<a href=\"https:\/\/www.linkedin.com\/in\/jeffrey-appel-nl\/\"> LinkedIn<\/a> for more quick insights and blogs around Microsoft security. <\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Sources<\/h2>\n\n\n\n<p><strong>Uber related:<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/www.uber.com\/newsroom\/security-update\/\">Security update | Uber.com<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/mobile.twitter.com\/hacker_\/status\/1570582547415068672\">Twitter thread by @hacker_<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/mobile.twitter.com\/BillDemirkapi\/status\/1570602097640607744\">Twitter thread by @BillDemirkapi<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1570717994397073410\">Twitter thread by @GossiTheDog<\/a><\/p>\n\n\n\n<p><strong>Microsoft<\/strong>:<\/p>\n\n\n\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/03\/22\/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction\/\">DEV-0537 criminal actor targeting organizations for data exfiltration and destruction<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/how-to-mfa-number-match\">Use number matching<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/07\/12\/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud\/\">From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. With the rise of more default protection with the use of multi-factor authentication the MFA Fatigue technique is rising. In the past&#8230;<\/p>\n","protected":false},"author":1,"featured_media":5472,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[189],"tags":[252,223],"table_tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to mitigate MFA fatigue and learn from the Uber breach for additional protection<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to mitigate MFA fatigue and learn from the Uber breach for additional protection\" \/>\n<meta property=\"og:description\" content=\"Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. With the rise of more default protection with the use of multi-factor authentication the MFA Fatigue technique is rising. In the past...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/\" \/>\n<meta property=\"og:site_name\" content=\"Jeffrey Appel - Microsoft Security blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-22T19:23:45+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-27T21:14:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2241\" \/>\n\t<meta property=\"og:image:height\" content=\"1398\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jeffrey\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jeffrey\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"17 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/\",\"url\":\"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/\",\"name\":\"How to mitigate MFA fatigue and learn from the Uber breach for additional protection\",\"isPartOf\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80.png\",\"datePublished\":\"2022-09-22T19:23:45+00:00\",\"dateModified\":\"2023-07-27T21:14:43+00:00\",\"author\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\"},\"breadcrumb\":{\"@id\":\"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/#primaryimage\",\"url\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80.png\",\"contentUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80.png\",\"width\":2241,\"height\":1398},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jeffreyappel.nl\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to mitigate MFA fatigue and learn from the Uber breach for additional protection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jeffreyappel.nl\/#website\",\"url\":\"https:\/\/jeffreyappel.nl\/\",\"name\":\"Jeffrey Appel - Microsoft Security blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jeffreyappel.nl\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\",\"name\":\"Jeffrey\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"caption\":\"Jeffrey\"},\"url\":\"https:\/\/jeffreyappel.nl\/author\/contact\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to mitigate MFA fatigue and learn from the Uber breach for additional protection","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/","og_locale":"en_US","og_type":"article","og_title":"How to mitigate MFA fatigue and learn from the Uber breach for additional protection","og_description":"Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. With the rise of more default protection with the use of multi-factor authentication the MFA Fatigue technique is rising. In the past...","og_url":"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/","og_site_name":"Jeffrey Appel - Microsoft Security blog","article_published_time":"2022-09-22T19:23:45+00:00","article_modified_time":"2023-07-27T21:14:43+00:00","og_image":[{"width":2241,"height":1398,"url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80.png","type":"image\/png"}],"author":"Jeffrey","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jeffrey","Est. reading time":"17 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/","url":"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/","name":"How to mitigate MFA fatigue and learn from the Uber breach for additional protection","isPartOf":{"@id":"https:\/\/jeffreyappel.nl\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/#primaryimage"},"image":{"@id":"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/#primaryimage"},"thumbnailUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80.png","datePublished":"2022-09-22T19:23:45+00:00","dateModified":"2023-07-27T21:14:43+00:00","author":{"@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42"},"breadcrumb":{"@id":"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/#primaryimage","url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80.png","contentUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/09\/image-80.png","width":2241,"height":1398},{"@type":"BreadcrumbList","@id":"https:\/\/jeffreyappel.nl\/how-to-prevent-mfa-fatigue-and-learn-from-the-uber-breach-for-additional-protection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jeffreyappel.nl\/"},{"@type":"ListItem","position":2,"name":"How to mitigate MFA fatigue and learn from the Uber breach for additional protection"}]},{"@type":"WebSite","@id":"https:\/\/jeffreyappel.nl\/#website","url":"https:\/\/jeffreyappel.nl\/","name":"Jeffrey Appel - Microsoft Security blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jeffreyappel.nl\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42","name":"Jeffrey","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","caption":"Jeffrey"},"url":"https:\/\/jeffreyappel.nl\/author\/contact\/"}]}},"amp_enabled":false,"_links":{"self":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/5456"}],"collection":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/comments?post=5456"}],"version-history":[{"count":17,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/5456\/revisions"}],"predecessor-version":[{"id":7278,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/5456\/revisions\/7278"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media\/5472"}],"wp:attachment":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media?parent=5456"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/categories?post=5456"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/tags?post=5456"},{"taxonomy":"table_tags","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/table_tags?post=5456"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}