Resources

What is Multi-Factor Authentication Takeover?

MFA Takeover includes MFA Request Generation (fatigue attacks) and MFA Interception. Both methods enable fraudsters to bypass multi-factor authentication without revealing the victim's password.

Arsen Team
3 minutes read
What is Multi-Factor Authentication Takeover?

Multi-Factor Authentication Takeover appears under Initial Access in the MITRE F3 Framework. It describes two distinct approaches fraud actors use to defeat MFA; neither of which requires knowing the victim's actual password.

Sub-techniques

Sub-technique Method Target psychology
MFA Request Generation (MFA Fatigue) Bombarding the victim with repeated push notifications until they approve Frustration, confusion, desire for the notifications to stop
MFA Interception Capturing OTPs, push approvals, or hardware token codes in transit No psychological component, pure technical interception

How does MFA fatigue work?

The attacker already has the victim's password (typically from phishing or a data breach). They repeatedly trigger the MFA prompt (sometimes dozens of times) until the victim approves by mistake, out of frustration, or because they assume it is a technical glitch.

Social engineering is sometimes layered on top: the attacker calls the victim (a vishing call) posing as IT support, claiming to be sending a verification request and asking the victim to "confirm" it.

How does MFA interception work?

Interception methods include:

  • SMS OTP capture via SS7 vulnerabilities or SIM swapping
  • Push notification relay via Adversary-in-the-Middle proxies
  • Hardware token cloning
  • Exploitation of backup recovery codes obtained through phishing

Key takeaways

  • MFA Takeover covers two sub-techniques in MITRE F3: fatigue (bombardment) and interception.
  • MFA fatigue exploits user frustration, no technical bypass required.
  • Vishing is frequently combined with MFA fatigue to add a social engineering layer.
  • Phishing-resistant MFA (FIDO2, passkeys) is the primary technical countermeasure to both sub-techniques.
  • Employees need specific training to recognise MFA fatigue attacks and never approve unexpected prompts.

What is MITRE Fight Fraud Framework™ (F3)?

The MITRE Fight Fraud Framework (F3) is a curated knowledge base of tactics, techniques, and sub-techniques used by fraud actors in cyber-based financial fraud incidents. Developed by MITRE's Center for Threat-Informed Defense in collaboration with FS-ISAC, JPMorganChase, and Lloyds Banking Group, it provides a common language for fraud-fusion teams to describe, detect, and prevent financial fraud. F3 is modeled after MITRE ATT&CK® and focuses on banking institutions as its initial scope.


Book a demo

Discover why Arsen is the go-to platform for helping CISOs, security teams, and IT leaders protect their organizations against social engineering.

Request a demo

Frequently Asked Questions

An attacker who already has a victim's password repeatedly triggers the MFA push notification until the victim approves it out of frustration or confusion. It requires no technical bypass; only persistence and a previously stolen password.

The attacker calls the victim during the fatigue bombardment, impersonating IT support and claiming the notifications are a system verification. They ask the victim to "confirm" the pending request. This is a hybrid vishing, and MFA fatigue technique seen in major 2023-2024 incidents.

Phishing-resistant MFA (FIDO2 hardware tokens or passkeys) eliminates both fatigue and interception attacks because the authentication is bound to the originating device and domain. Training employees to never approve unsolicited MFA prompts is a critical complementary control.

It is an Initial Access technique with two sub-techniques: MFA Request Generation (fatigue attacks) and MFA Interception. Both allow fraud actors to bypass MFA without knowing the victim's password.

Continue reading