Skip to content
Threat Feed
high advisory

PingID MFA Bombing Attack

Adversaries attempt to bypass multi-factor authentication by flooding users with push notifications, hoping they will eventually accept a fraudulent request, potentially leading to unauthorized access.

This brief addresses the threat of MFA fatigue attacks targeting PingID environments. The attack involves overwhelming a user with numerous MFA push notifications in a short period, hoping they will eventually approve one accidentally or out of frustration. While the source doesn't attribute this activity to a specific actor, similar techniques have been associated with financially motivated groups and nation-state actors. The detection logic focuses on identifying users with 10 or more failed MFA attempts within a 10-minute window, using JSON logs from PingID. Defenders need to be aware of this technique as a successful bypass could grant attackers initial access or privilege escalation within the targeted network.

Attack Chain

  1. The attacker gains initial access using previously compromised credentials or through credential harvesting.
  2. The attacker attempts to authenticate to a resource protected by PingID.
  3. PingID prompts the legitimate user for MFA.
  4. The attacker initiates repeated login attempts in rapid succession.
  5. PingID sends multiple MFA push notifications to the user's registered device.
  6. The user is bombarded with MFA requests and may accidentally or unknowingly approve one.
  7. Upon successful MFA bypass, the attacker gains unauthorized access to the targeted resource or system.
  8. The attacker performs malicious activities such as data exfiltration, lateral movement, or privilege escalation.

Impact

A successful MFA fatigue attack can lead to a full compromise of user accounts, granting attackers access to sensitive data and systems. This can result in data breaches, financial losses, and reputational damage. While this technique can affect any organization using PingID for MFA, sectors with high-value data, such as finance and healthcare, may be particularly attractive targets. If successful, the attacker can bypass an intended security control and gain unauthorized access to critical resources.

Recommendation

  • Deploy the Sigma rule Detect PingID Multiple Failed MFA Requests to your SIEM to identify potential MFA fatigue attacks in real-time, tuning the threshold (mfa_prompts >= 10) to suit your environment.
  • Investigate any alerts generated by the Sigma rule Detect PingID Multiple Failed MFA Requests to determine the legitimacy of the MFA requests and user behavior.
  • Implement user education programs to raise awareness about MFA fatigue attacks and advise users to reject any unexpected or excessive MFA requests.
  • Review and adjust PingID MFA settings to potentially limit the number of allowed MFA attempts within a specific time frame to mitigate the impact of MFA bombing.
  • Consider implementing additional security measures, such as IP-based access restrictions, to further protect against unauthorized access attempts.

Detection coverage 1

Detect PingID MFA Requests From Unusual IP Address

medium

Detects PingID MFA requests originating from a previously unseen or unusual IP address for a given user, potentially indicating account compromise.

sigma tactics: credential_access, initial_access techniques: T1078 sources: application, pingid

Detection queries are available on the platform. Get full rules →