Multi-factor authentication (MFA) was supposed to fill a critical gap in identity security. It meant that, even if an attacker had the account details, he couldn’t get in without the second factor. While that logic made sense, attackers have now discovered that they don’t need to steal the second object: they just need the user to provide it.
If your employees authenticate with push-based MFA, this attack is a live threat to your organization today. Tools like Specops Secure Access are designed specifically to close that gap, but before getting into the fix, it’s worth understanding how this method works.
How MFA quick bombing works
An attack requires three key elements to be effective:
- Valid account information, often found in the dumps of cracked passwords on the dark web
- A portal that uses application-based MFA (such as a VPN, Microsoft 365, Okta, or Duo)
- The victim is alerted every time the attacker tries to log in
Attackers often trap this command, trying to trick the target or make it down to approve the request. Sometimes, attackers will pair a quick bombardment with a vishing call pretending to be from IT, where they will try to impersonate the target. The downside is that these methods only need to be run once.
If the prompt is accepted, the attacker is logged in as that user. Security systems will usually not be notified, as the login looks completely legitimate.
Cisco breach
The 2022 Cisco breach is a prime example of how effective this approach is against mature security systems. An attacker linked to the Yanluowang ransomware group compromised a Cisco employee’s personal Google account, which synced information stored by the browser, including the employee’s Cisco VPN password.
From there, the attacker pushed MFA commands to the operator’s phone. That didn’t work at first, so they started using vishing calls pretending to be trusted organizations that support them, using different names, and finally convincing the employee to accept the app notification.
Once accepted, the attacker had VPN access as an employee. They then signed up their own tools for MFA to persist, escalated to administrative privileges, accessed Citrix servers and domain administrators, and extracted approximately 2.8GB of data before it was released. The fact that the bombing quickly worked against a company like Cisco, which is far from having a weak security posture, highlights how dangerous and successful the attack was.
Why pushing MFA doesn’t eliminate risk
The problem with push-based MFA is that users are asked to approve or deny a login with very little to go on. There is no clear indication of where the request originated, what device is being used, or whether the login attempt was initiated by the user at all. If you are alone, that may be manageable. But if the information starts coming in repeatedly, it’s easier to think that something is wrong than to see it as a possible attack.
When that’s paired with a well-timed call from someone pretending to be IT support, the situation becomes even more difficult to diagnose. At that point, the user is not acting recklessly, but responding in a situation designed to feel familiar and legitimate, using credentials the attacker already has.
3 ways organizations can stop bombings quickly
1. Use MFA fatigue and phishing features
Push notifications are a weak general form of MFA. Phishing-resistant things like FIDO2 authentication keys, hardware tokens like YubiKey, or numeric-like codes from authentication applications are difficult to exploit.
Specops Secure Access supports more than 15 identity providers and includes fatigue-resistant options for Windows logon, RDP, and VPN connections, so organizations can stop pushing only MFA to high-risk access points.
 |
| Specops Secure Access |
2. Block compromised passwords at the source
Immediate bombing is only possible if the attacker already has a valid password. Continuously scanning active directory (AD) against a live database of breached passwords, and forcing a reset when a match is found, removes the fuel for an attack. Relying on default AD password policies will not catch passwords that are reused, compromised, or compromised. If you don’t know where you stand today, Specops Password Auditor is a free, read-only scanner for your AD that flags vulnerabilities such as compromised passwords or inactive administrator accounts.
 |
| Specops Password Auditor |
3. Add login risk signals
Conditional access policies that affect location, device orientation, and login times can block or increase authentication before information is sent to a user’s phone. This reduces reliance on user behavior alone and introduces real-time context to stop suspicious logins before they progress to successful account compromise.
An MFA is still important
MFA’s rapid bombing isn’t a reason to move away from MFA, but it does highlight where other features fall short. If approval requests are repeatedly triggered without significant content, control becomes easier to influence than intended.
If push is still your second default feature, it’s worth revisiting that decision. Number-matching or anti-phishing methods strengthen the MFA method itself, while scanning for compromised passwords reduces the risk of attackers having the first step of authentication. If you’re looking to improve your identity security with strong MFA, talk to Specops.
