What To Do When Receiving Unprompted MFA OTP Codes

Cyber Threat Summary:
This article highlights common methods cybercriminals use to bypass multi-factor authentication, specifically receiving unprompted one-time passcodes (OTP). Receiving an OTP sent as an email or text should be a cause for concern as it likely means your credentials have been stolen.

These stolen credentials are often retrieved via phishing attacks, credential stuffing attacks, social engineering, or via information stealing malware strains. The stolen credentials are then used to breach corporate networks for data theft, espionage, and ransomware attacks or to conduct financial fraud in consumers' online retail accounts.

Many of these stolen credentials are stolen and placed for sale on darkweb marketplaces where other threat actors can buy account access to carry out various forms of financial fraud and theft. As more services offer and require multi-factor authentication, cybercriminals have turned to various methods to bypass this additional protection.

Security Officer Comments:
The author of the article focuses on a friend and family member who received an unprompted MFA OTP required to log into their accounts. In both cases, the victims did not attempt to log into their services and received the OTP unexpectedly. This meant that someone had obtained their credentials, but needed to receive that multi-factor code.

If you receive an unprompted MFA code, you should immediately assume your credentials were stolen. Emails and text message links should be avoided, as these will be used to try and steal the OTP to access your account. Instead, victims should legitimately log into the service they received the unprompted OTP to and change their password manually. This should remove the threat actors access to the account and stop further unprompted codes.

Password reuse while risky, is a common practice. Any account that shares the same password should also be changed, as threat actors may try the same password across different and common services.

We often see an uptick in this activity during the holiday season.

Suggested Correction(s):
Just because an account is protected by MFA does not immediately make it safe. Usernames and passwords are commonly stolen and threat actors will continue to use techniques to trick the victim into disclosing their OTP to breach accounts.

SMS and email based MFA codes are better than not having anything protecting the account, but there are known techniques to bypass these solutions. If a site or service provides support for authentication apps, hardware security keys, or passkeys, you should use one of these options instead as they’ll require attackers to have access to your device to pass the multi-factor authentication challenge.