You’ve probably already heard about the recent Uber security breach. The key quote from what happened:
Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.
The problem with this? If you’re getting MFA push notifications that you aren’t triggering, it usually means the hacker already has your password. By accepting the MFA prompt, you’ve given the keys to the hacker to your account. If you ever get a MFA request that you don’t recognize, you need to change your password immediately.
Hackers are aware of this so their new technique is to take advantage of people’s fatigue with MFA and will constantly spam the user with push notifications for MFA verification, hoping they will accept it because they think it’s from a reputable source. And all it takes is one verification to allow them in.
For CompleteCare clients, we go through a hardening process to lock out access to Office365/Azure to make things more secure, and we recommend MFA on all accounts we manage. We are in the process of experimenting with some new Microsoft Authenticator additional context notifications internally before we look into rolling it out to our clients so they will get some more useful information in the push notifications they receive to hopefully help prevent this kind of attack from happening.