You set up Multi-Factor Authentication (MFA) because you were told it’s the single best way to stop hackers. And it is — most of the time. But attackers have found a simple, low-tech way around it, and it doesn’t involve breaking any code. It involves breaking your patience.
It’s called an MFA Fatigue Attack (also known as MFA Bombing or Push Bombing) — and it’s one of the fastest-growing causes of account takeovers today.
What Is an MFA Fatigue Attack?
MFA fatigue doesn’t target your systems. It targets you.
Here’s the typical sequence:
- Attacker steals your password — through phishing, a data breach, or the dark web. Your password alone isn’t enough because MFA is enabled.
- Attacker tries logging in — repeatedly. Each attempt sends you a real MFA push notification: “Approve this sign-in?”
- Your phone buzzes. Again. And again. Sometimes 10 times. Sometimes 100 times, in the middle of the night.
- You eventually tap “Approve” — not because you’re careless, but because you’re human, tired, confused, or just want the notifications to stop.
- The attacker is in. No password cracking, no malware, no exploit — just persistence.
This isn’t a hypothetical. High-profile breaches at Uber and Cisco both started this way — an employee approved one prompt out of sheer exhaustion, and attackers walked straight into corporate systems.
Why It Works So Well
MFA fatigue attacks are popular with hackers precisely because they’re unsophisticated:
- No advanced hacking skills needed — just stolen credentials and a script that retries logins.
- It exploits psychology, not technology — humans are wired to make mistakes under repeated pressure or irritation.
- Some attackers add a social engineering twist — calling or messaging the victim pretending to be “IT Support,” saying the prompts are part of routine maintenance and asking them to just approve it.
Security researchers tracking this trend have recorded hundreds of thousands of these attempts in a single year across enterprise environments — and it only takes one approved prompt for an attacker to get in.
Warning Signs You’re Being Targeted
Watch out for:
- MFA prompts appearing when you did not try to log in
- Multiple prompts arriving back-to-back, especially at odd hours
- A message or call from someone claiming to be “IT” asking you to approve a pending request
- Prompts continuing even after you deny several of them
Golden rule: If you didn’t request it, don’t approve it — deny it and report it immediately.
How to Stop MFA Fatigue Attacks
For Individuals
- Never approve a prompt you didn’t trigger. Deny it, and change your password right away.
- Never trust “IT” contacting you out of the blue about an MFA request — verify through official channels first.
For Businesses (What Your IT Team Should Set Up)
- Switch on Number Matching — instead of a simple “Approve/Deny” tap, users must enter a number shown on their login screen. This alone blocks most fatigue attacks.
- Enable Conditional Access / Risk-Based Sign-In Policies — automatically block or challenge logins from unusual locations, devices, or times.
- Limit prompt frequency — cap how many MFA requests a user can receive in a short window, so attackers can’t flood them.
- Move critical/admin accounts to phishing-resistant MFA — like hardware security keys (YubiKey) or Windows Hello for Business, instead of simple push notifications.
- Monitor sign-in logs — repeated failed logins followed by one success is a red flag your security team should catch automatically, not discover after the fact.
- Train your team — a two-minute explanation of what MFA fatigue looks like is often enough to stop an entire attack.
The Bottom Line
MFA is still essential — it stops the vast majority of attacks. But it isn’t invincible when attackers target human patience instead of technical weaknesses. The fix isn’t to ditch MFA; it’s to make it smarter — number matching, risk-based access, phishing-resistant methods, and a team that knows to deny first and ask questions later.
Urban Essencia helps businesses configure Microsoft 365 and cloud environments with security settings that actually hold up against real-world attacks. If you’re not sure whether your MFA setup is vulnerable to fatigue attacks, get in touch — we’ll check it for you.