Approve at Your Own Risk. MFA Fatigue Attacks Explained

Jim Leone

8/13/20252 min read

MFA Fatigue Attacks... When Your Security Becomes the Attack Vector

Multi-Factor Authentication (MFA) has become one of our strongest defenses against account takeover, but attackers have found a way to turn it into a weakness. This is the rise of the MFA fatigue attack (also called “MFA bombing” or “push notification spamming”).

We’ve recently seen these attacks in the wild, and they’re increasing in frequency.

What Is MFA Fatigue?

In an MFA fatigue attack, a cybercriminal who has stolen a user’s credentials bombards that user with repeated MFA push requests, often dozens or even hundreds, in a short time.

The goal is simple, wear down the target until they approve one by mistake or just to make the prompts stop.

How It Works

  1. Credential Theft – Attackers obtain the username and password via phishing, password reuse, or breach data.

  2. Continuous MFA Requests – Using those credentials, the attacker repeatedly triggers login attempts that generate MFA prompts.

  3. User Overload – The victim is hit with a constant stream of push notifications on their phone, smartwatch, or authenticator app.

  4. Accidental Approval – Out of frustration, confusion, or simply by reflex, the user taps “Approve”, granting the attacker full access.

Why It Seems To Work

  • Human fatigue – Constant interruptions break down vigilance.

  • Disguise – If the user is multitasking or distracted, they may think it’s a legitimate login attempt.

  • Poor awareness – Many users aren’t trained to treat repeated MFA prompts as a red flag.

Some Real-World Examples I've Reviewed

  • Uber breach (2022) – The attacker used MFA fatigue against an employee, then convinced them via WhatsApp that the request was legitimate.

  • Microsoft 365 tenant compromises – Security teams have reported entire tenants being breached because one employee approved a spammed MFA request.

How to Defend Against MFA Fatigue Attacks

1. Implement Number Matching (or “Prompt Verification”)

  • Instead of just tapping “Approve,” users must type a code displayed on the login screen. This stops accidental approvals.

2. Educate Users

  • Train staff to deny unexpected MFA prompts and immediately report them to security.

  • Make it clear that repeated prompts are a sign of an active attack.

3. Limit MFA Prompt Frequency

  • Configure your identity provider to throttle MFA requests and block repeated attempts.

4. Use Conditional Access Policies

  • Require MFA only from new or risky locations/devices.

  • Block or alert on impossible travel scenarios.

5. Monitor & Alert on MFA Denials

  • Multiple denied MFA requests in a short time should trigger an immediate investigation.

MFA is still one of the best defenses we have, but it’s not bulletproof. Like every security control, it needs proper configuration, user training, and ongoing monitoring to be effective.

Attackers know we trust MFA. Our job is to make sure that trust isn’t misplaced.

The IP HighWay

Stay updated with the latest IT security news.

info@iphwy.com

© 2024. All rights reserved.

Visit my personal page -->