1. Home
  2. Techniques
  3. Enterprise
  4. 多因素身份验证请求生成

多因素身份验证请求生成

ID Name
T1621.001 分布式代理节点请求洪泛
T1621.002 地理邻近验证请求欺骗
T1621.003 MFA服务API链路劫持

多因素身份验证请求生成是攻击者通过滥用MFA机制向目标用户发送大量验证请求,利用用户疲劳或误操作获取账户访问权限的新型攻击技术。与传统凭证窃取不同,该技术直接作用于认证流程的交互环节,通过社交工程与自动化工具结合实现验证绕过。防御方通常通过监测异常请求频率、地理位置突变及设备指纹异常等特征进行检测,并采取请求速率限制、风险评分模型等措施进行缓解。

为突破传统检测机制对集中式请求轰炸的识别能力,攻击者发展出多维度匿迹技术,通过分布式架构弱化行为密度、地理特征伪装增强请求可信度、API协议滥用规避特征检测等策略,将恶意验证请求深度隐匿于合法业务交互中,形成具备低异常性、高混淆性的新型认证绕过攻击体系。

现有MFA请求生成匿迹技术的核心逻辑聚焦于攻击特征的上下文融合与协议层隐匿。攻击者通过构建分布式请求节点网络,将高强度攻击流量分解为符合地域行为基线的低频请求序列,利用代理池的动态调度能力实现请求源的持续漂移;地理邻近欺骗技术通过精准的位置特征模拟,消除传统防御中基于IP信誉库的检测优势;API链路劫持则突破协议合规性防线,使恶意请求获得与服务商白名单流量相同的密码学特征。三类技术的共性在于突破传统行为特征检测维度,通过多维数据伪造、协议逆向工程和加密信道滥用,构建出具备合法业务全息特征的攻击流量,导致基于规则匹配或单维度异常检测的防御体系全面失效。

匿迹技术的演进迫使防御体系向自适应认证机制转型,需构建基于用户行为画像的动态风险评估模型,强化加密流量元数据分析能力,并建立跨服务商的MFA异常模式共享机制,通过协同防御应对分布式匿迹攻击。

ID: T1621
Sub-techniques:  T1621.001, T1621.002, T1621.003
Tactic: 凭据获取
Platforms: IaaS, Identity Provider, Linux, Office Suite, SaaS, Windows, macOS
Contributors: Arun Seelagan, CISA; Jon Sternstein, Stern Security; Obsidian Security; Pawel Partyka, Microsoft 365 Defender; Shanief Webb
Version: 1.2
Created: 01 April 2022
Last Modified: 14 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过精确复现MFA服务API的加密协议和数字签名机制,使恶意请求在报文结构、TLS指纹等特征层面与合法流量完全一致。利用官方SDK构建请求环境并注入合规设备指纹,实现攻击流量在协议特征维度的深度隐匿,规避基于报文特征分析的检测系统。

数据遮蔽

采用TLS 1.3等强加密协议传输验证请求,隐藏关键攻击参数(如目标账户、设备标识符)。通过服务商标准加密通道传递恶意载荷,使得网络层防御设备无法通过深度包检测识别攻击意图,仅能依赖流量元数据进行间接分析。

时空释痕

分布式节点架构将集中式攻击流量分解为跨地域、长周期的离散请求序列,单节点请求频率控制在风控阈值之下。结合智能调度算法动态调整全球节点的攻击节奏,使异常特征被稀释在不同时区的背景流量中,破坏基于时间序列分析的检测模型。

Procedure Examples

ID Name Description
G0016 APT29

APT29 has used repeated MFA requests to gain access to victim accounts.[1][2]
C0027 C0027

During C0027, Scattered Spider attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.[3]
G1004 LAPSUS$

LAPSUS$ has spammed target users with MFA prompts in the hope that the legitimate user will grant necessary approval.[4]
G1015 Scattered Spider

Scattered Spider has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets.[5]

Mitigations

ID Mitigation Description
M1036 Account Use Policies

Enable account restrictions to prevent login attempts, and the subsequent 2FA/MFA service requests, from being initiated from suspicious locations or when the source of the login attempts do not match the location of the 2FA/MFA smart device. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[6]
M1032 Multi-factor Authentication

Implement more secure 2FA/MFA mechanisms in replacement of simple push or one-click 2FA/MFA options. For example, having users enter a one-time code provided by the login screen into the 2FA/MFA application or utilizing other out-of-band 2FA/MFA mechanisms (such as rotating code-based hardware tokens providing rotating codes that need an accompanying user pin) may be more secure. Furthermore, change default configurations and implement limits upon the maximum number of 2FA/MFA request prompts that can be sent to users in period of time.[7]
M1017 User Training

Train users to only accept 2FA/MFA requests from login attempts they initiated, to review source location of the login attempt prompting the 2FA/MFA requests, and to report suspicious/unsolicited prompts.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor application logs for suspicious events including repeated MFA failures that may indicate user's primary credentials have been compromised.
DS0028 Logon Session Logon Session Creation

Monitor 2FA/MFA application logs for suspicious events such as rapid login attempts with valid credentials.
Logon Session Metadata

Monitor 2FA/MFA application logs for suspicious events such as unusual login attempt source location, mismatch in location of login attempt and smart device approving 2FA/MFA request prompts.
DS0002 User Account User Account Authentication

Monitor user account logs for suspicious events: unusual login attempt source location, mismatch in location of login attempt and smart device receiving 2FA/MFA request prompts, and high volume of repeated login attempts, all of which may indicate user's primary credentials have been compromised minus 2FA/MFA mechanism.

Analytic 1 - Anomalous IP addresses, unmanaged devices, unusual User Agents indicating automation tools or scripts, high failure rates

index="m365_audit_logs" Operation="UserLoginFailed" ErrorNumber="500121"| stats count by ClientIP, UserId, DeviceProperties| where ClientIP!="expected_ip" OR DeviceProperties!="expected_properties"

References

  1. Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock. (2021, December 6). Suspected Russian Activity Targeting Government and Business Entities Around the Globe. Retrieved April 15, 2022.
  2. UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024.
  3. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  4. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  1. CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.
  2. Microsoft. (2022, December 14). Conditional Access templates. Retrieved February 21, 2023.
  3. Jessica Haworth. (2022, February 16). MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications. Retrieved March 31, 2022.