In addition to our recent article about the need for increased vigilance from everyone regarding cybersecurity (Geopolitical Tensions and Cybersecurity), the IT Division wants to draw your attention to the specific risk of accepting MFA requests that you did not initiate. If your account credentials have been compromised through a data breach or phishing attack, MFA is the only thing protecting your account from being used by the attacker. Accepting MFA requests that you did not initiate is the biggest threat to that protection.

There have been several recent incidences in higher education around this very threat. In one case the attacker was persistently trying to access an account where the password had been compromised. After repeatedly denying the MFA requests the user finally accepted one and that led to a wide scale cyberattack against the institution. In another case the attacker was using a new twist on the old job scam. They posed as a professor needing personal services and said that they would put the tasks on the student’s calendar in Canvas. They asked for the student’s credentials and told them to be sure and accept the MFA request. These are some of the commonly used tactics for fraudulent MFA attacks:

  • Sending multiple MFA requests and hoping the target finally accepts one to stop the noise.
  • Sending one or two prompts per day.  This method often attracts less attention, but there is still a good chance the target will accept the MFA request.
  • Calling the target, pretending to be a member of the University’s IT staff, and telling the target they need to send an MFA request as part of an organization process.

If you are receiving MFA requests that you did not initiate, please report them as fraudulent via the Microsoft Authenticator app on your phone or report the attempts to the IT Help Desk. Also, if you receive an MFA Request you did not initiate it is highly recommended that you change your password to a previously unused password.