MFA-Fatigue and Guidance

 In recent years cybercriminal groups have made headlines by systematically bypassing Multi-Factor Authentication (MFA), the security control that many New Zealand businesses rely on to protect their digital assets. One of the most notorious groups, Scattered Spider, has orchestrated high-profile breaches using a technique called MFA fatigue attacks. But their methods pose an equally serious threat to Kiwi businesses of all sizes.

New Zealanders lost $6.8M to cybercrime in quarter 4 2024, up 24% from $5.5M in quarter 3, according to CERT NZ. This trend highlights why understanding and defending against advanced identity-based attacks like MFA fatigue has never been more critical for New Zealand organisations.


What Are MFA-Fatigue Attacks and Why Should You Care?

MFA-fatigue attacks exploit the human element by overwhelming users with authentication requests until they give in. The process is simple yet effective. Attackers first obtain legitimate usernames and passwords through phishing or credential stuffing, then use automated systems to generate continuous MFA push notifications in rapid succession.

The attack exploits psychological factors that make it hard to resist. Users become desensitised to repeated alerts, creating notification fatigue. The constant pinging creates pressure to “make it stop” and users may approve requests hastily to return to work tasks. Since push notifications look legitimate, many people trust familiar interfaces without questioning unusual timing or frequency.

Upon successful approval, attackers establish persistent access and begin lateral movement immediately. Additional accounts are often compromised using the same techniques, and data exfiltration or ransomware deployment follows within hours or days.

Key Points:

  • Attackers flood users with MFA requests until they approve one
  • Exploits psychological pressure and notification fatigue
  • Leads to account compromise and lateral movement
  • Can result in ransomware or data theft

Why New Zealand Organisations Are Sitting Ducks

New Zealand’s business landscape creates several factors that make local organisations attractive targets. Our workplace culture emphasises trust and helpfulness, making employees more likely to approve authentication requests without scrutiny. Post-COVID remote work has normalised unusual login patterns, making suspicious activity less obvious.

Many Kiwi businesses rely heavily on Microsoft 365 services, which CERT NZ notes sees “a large number of phishing attacks”. This dependence, combined with basic push notification MFA without additional security controls, creates an ideal environment for these attacks. Resource constraints mean smaller organisations often lack dedicated cybersecurity personnel and may have inconsistent security awareness programs.

Risk Factors for NZ Businesses:

  • High-trust workplace culture
  • Heavy reliance on Microsoft 365
  • Basic MFA implementations without enhanced controls
  • Limited cybersecurity resources and training
  • Normalised remote work patterns

Strengthening Your MFA Defences

The most effective step is moving beyond simple push notifications to advanced MFA technologies. Number matching in Microsoft Authenticator requires users to type a displayed number rather than simply approving a request. FIDO2 security keys offer higher security by resisting phishing attacks compared to traditional methods. Biometric authentication using fingerprint or face recognition provides additional security where supported.

Avoid SMS-based MFA as it’s outdated and less secure. Use application-based MFA like Microsoft or Google Authenticator instead. Apply MFA universally to all accounts, including contractors and suppliers, and implement it for administrative interfaces, VPN access, and cloud services.

User education represents another critical defence layer. Regular phishing simulations that include MFA-fatigue scenarios help users recognise suspicious requests. Training should cover legitimate reasons for MFA requests and establish clear escalation procedures for suspicious activity.

Implementation Checklist:

  • Enable number matching in Microsoft Authenticator
  • Deploy FIDO2 security keys for high-privilege accounts
  • Replace SMS-based MFA with app-based solutions
  • Apply MFA to all accounts including contractors
  • Conduct regular phishing simulations with MFA scenarios
  • Train users on legitimate vs suspicious MFA requests

Technical Controls That Actually Work

Implementing conditional access policies provides powerful protection against identity-based attacks. Location-based access controls flag logins from unusual geographic locations, while device compliance requirements prevent access from unmanaged devices. Risk-based authentication requires additional verification for suspicious activity, and session controls limit access duration.

Identity protection and monitoring help detect attacks in progress. User and Entity Behaviour Analytics identify unusual access patterns, while automated alerts for impossible travel scenarios can catch attacks early. Legacy protocol management is often overlooked but critically important — disabling protocols like IMAP and POP3 that bypass MFA eliminates common attack vectors.

Technical Controls to Implement:

  • Configure location-based conditional access policies
  • Enable device compliance requirements
  • Deploy risk-based authentication
  • Implement session time limits
  • Set up impossible travel alerts
  • Disable legacy authentication protocols (IMAP, POP3, SMTP Auth)

Choosing the Right MFA Solution

The MFA landscape offers options with varying security levels, user experience, and cost. SMS and voice methods should be avoided due to low security. TOTP apps like Google Authenticator provide reasonable security but lack phishing resistance. Push notifications with number matching offer good security at low cost, making them a solid intermediate option.

FIDO2 security keys provide the highest security with excellent phishing resistance, though at medium cost. For enterprise solutions, Microsoft Entra ID integrates well with Microsoft 365, while Okta provides comprehensive identity platform capabilities. SME-friendly options include Google Workspace with built-in MFA and JumpCloud as a cloud directory service.

MFA Solution Recommendations:

  • Immediate: Enable number matching on existing push notifications
  • Short-term: Deploy FIDO2 security keys for admin accounts
  • Enterprise: Microsoft Entra ID or Okta for comprehensive features
  • SME: Google Workspace or JumpCloud for budget-friendly options
  • Avoid: SMS and voice-based authentication methods

New Zealand Compliance and Support

The NCSC Cyber Security Framework emphasises identity and access management controls in its “Protect” function. Different sectors have specific requirements — financial services follow RBNZ operational resilience requirements, healthcare adheres to Health Information Privacy Code, and education follows Tertiary Education Commission guidance recommending app-based MFA over SMS.

CERT NZ provides incident response support for MFA-related breaches, threat intelligence sharing, and security awareness resources. Industry partnerships through NZISF offer networking opportunities, while ISACA New Zealand provides governance guidance.

NZ Resources and Requirements:

  • Follow NCSC Cyber Security Framework guidance
  • Meet sector-specific requirements (RBNZ, Privacy Code, TEC)
  • Utilise CERT NZ incident response and threat intelligence
  • Engage with NZISF and ISACA for industry knowledge sharing

Testing and Professional Validation

Professional penetration testing can simulate MFA-fatigue attacks to test organisational defences. Social engineering assessments include phishing campaigns and vishing attacks, while technical testing validates MFA bypass resistance and identifies privilege escalation pathways. Red team exercises provide realistic testing against sophisticated attackers and can reveal gaps in both technical controls and human responses.

We recommend annual comprehensive penetration testing, phishing simulations, regular security awareness updates, and continuous monitoring activities. Working with experienced professionals helps ensure your MFA implementations can withstand real-world attacks.

Testing Program Recommendations:

  • Annual comprehensive penetration testing including identity controls
  • Phishing simulations
  • Regular security awareness training updates
  • Continuous monitoring and threat hunting
  • Professional red team exercises to test real-world defences

Taking Action

Start with an immediate audit of current MFA settings across all applications. Enable enhanced controls like number matching where available and communicate organisation-wide about MFA-fatigue attacks. Conduct focused security awareness training and review authentication policies. Looking ahead, implement FIDO2 security keys for high-privilege accounts and establish ongoing testing programs.

The key to effective defence lies in thoughtful combination of advanced authentication methods, comprehensive user education, and regular testing. New Zealand organisations that take a proactive approach will be best positioned to defend against current and future threats.

Need Help Securing Your Identity Infrastructure?

Cyberoptic Security specialises in helping New Zealand organisations strengthen their authentication systems and test their defences against real-world attack techniques and privilege escalation scenarios.

📞 Get in touch to schedule a consultation or book a comprehensive review of your identity security posture. Let’s work together to keep your organisation secure in an increasingly complex threat landscape.

Comments

Post a Comment

Popular posts from this blog

A Quick Guide to Password Managers

Image
The Password Problem That's Costing New Zealand Picture this: A cybercriminal needs just one weak password to potentially access your bank account, business emails, or personal photos. Unfortunately, 80% of hacking-related breaches are caused by stolen or weak passwords . For New Zealand consumers and SMEs, this isn't just a statistic. It's a daily reality. CERT NZ reports that phishing and credential harvesting remain the top cyber incidents affecting Kiwis. The Privacy Act 2020 requires businesses to protect personal information, which includes securing access with strong authentication. Yet most of us are still using "password123" or recycling the same password across dozens of accounts. The solution? Password managers . And they're simpler than you think. Password management What Exactly Is a Password Manager? Think of a password manager as a digital vault. You lock all your passwords inside it and only need to remember one master password (the key to your...
Read more

Why Penetration Testing Matters for New Zealand Businesses in 2025

Image
Cybersecurity threats are evolving rapidly, and New Zealand businesses are no longer flying under the radar. From SMEs to large enterprises, organisations across Aotearoa are facing increased pressure to secure their digital assets, not just for compliance, but to protect their reputation, data, and operations. One of the most effective ways to identify and address security gaps before they’re exploited is through  penetration testing  (often shortened to  pentesting ). But what exactly does that involve, and why is it especially important for NZ organisations in 2025? Let’s break it down. Zoom image will be displayed NZ Under Attack What Is Penetration Testing? Penetration testing is a controlled and ethical simulation of a cyberattack, carried out by cybersecurity professionals. The goal is simple: identify vulnerabilities in your systems before a malicious actor does. Unlike automated scans or generic audits, a penetration test mimics real-world attack scenarios. It lo...
Read more