Barnes Projects Logo

Barnes Projects

MFA Bombing and MFA Fatigue in TLCTC Attack Path Notation

MFA Bombing (also known as MFA Fatigue or MFA Push Spam) is an authentication bypass technique where an attacker, having already obtained valid user credentials, repeatedly triggers Multi-Factor Authentication (MFA) push notifications to the legitimate user's device. By overwhelming the user with continuous authentication requests, the attacker aims to either annoy the user into accidentally accepting a push notification or wear down their security vigilance through alert fatigue. This technique gained prominence in various high-profile breaches, including the 2022 Uber compromise.

Attack Path: #4 -> #1 -> #9 -> #4

1. Initial stage (#4 Identity Theft)

Attacker has already obtained userID and password

2. MFA Bombing (#1 Abuse of Functions)

3. MFA Fatigue (#9 Social Engineering)

4. Final stage (#4 Identity Theft again)

This is a great example of how the TLCTC framework helps us understand attack sequences clearly. The ability to request MFA challenges repeatedly is not a code flaw (#2/#3), but rather an abuse of intended functionality (#1), which is then combined with social engineering (#9) to complete the identity theft (#4).

PROJECT REFERENCE: Cyber Threat Clusters

EXTERNAL REFERENCE: none

No additional updates are scheduled at this time.