MFA Fatigue Attacks: How Hackers Are Bypassing Your 'Unbreakable' Two-Factor Authentication

You enabled multifactor authentication. You told your team they were protected. You checked the box.

Then an attacker sent 87 MFA push notifications to your CFO at 2 a.m. — and she tapped "Approve" just to make it stop.

Welcome to MFA fatigue attacks: the social engineering technique that doesn't break your security technology at all. It breaks your people instead. And it's behind some of the most devastating corporate breaches of the past three years.

What Is an MFA Fatigue Attack?

An MFA fatigue attack — also called MFA push bombing or MFA spamming — is a remarkably simple technique. An attacker who has already obtained a victim's username and password (often through a prior phishing campaign or credential-stuffing breach) repeatedly triggers MFA push notification requests to the victim's phone or authenticator app.

The goal isn't to crack the code. It's to wear the victim down until they approve one of the requests — either out of confusion, exhaustion, or simply to silence the constant buzzing. Once they do, the attacker walks straight in.

This is MFA fatigue in its purest form: not a technical exploit, but a psychological one.

Real Breaches That Started With a Single "Approve" Tap

MFA fatigue isn't a theoretical threat. It's already rewritten the incident reports at some of the world's most recognizable companies.

Uber (2022)

In September 2022, an 18-year-old attacker gained access to Uber's internal systems by purchasing stolen credentials on the dark web, then bombarding an Uber contractor with MFA push notifications for over an hour. When the contractor didn't respond, the attacker messaged them on WhatsApp, claimed to be from Uber's IT support team, and told them the requests were legitimate. The contractor tapped "Approve" — and the attacker gained full access to Uber's internal network, including source code repositories, cloud environments, and sensitive security tooling.

The total damage? Immeasurable reputational harm, regulatory scrutiny, and a brutal reminder that even a technically sophisticated security team can be undone by one tired employee and a convincing lie.

Cisco (2022)

That same year, attackers gained initial access to Cisco's corporate environment through a compromised employee's personal Google account, which had synced saved credentials. After obtaining those credentials, they launched a relentless MFA push bombing campaign against the employee. After multiple failed attempts and some clever vishing (voice phishing) calls impersonating Cisco IT support, the employee eventually accepted a push notification. Attackers then moved laterally through Cisco's systems, exfiltrating data from a file-sharing platform.

Microsoft (2023)

Microsoft disclosed that the threat actor group Storm-0558 leveraged compromised credentials and token forgery — but investigators noted that social engineering and MFA fatigue techniques were key enablers in related attack chains targeting enterprise Microsoft 365 tenants. The lesson: even the vendor of your security platform isn't immune.

Why MFA Fatigue Works So Devastatingly Well

Most security professionals assume that MFA is a near-impenetrable second layer of defense. And for automated, technical attacks — credential stuffing bots, brute force tools — it is. But MFA fatigue sidesteps the technology entirely and attacks human behavior.

Here's why it's so effective:

Volume creates urgency. When a phone buzzes 50 times in 20 minutes, the human brain registers an emergency. Employees assume something must be wrong with the system and act to resolve it — often by approving the request.

Timing is weaponized. Attackers deliberately strike at 11 p.m., 4 a.m., or during high-stress periods like Monday mornings. Sleep-deprived, stressed employees have lower resistance to social pressure.

The accompany vishing call seals the deal. Sophisticated attackers follow up with a phone call impersonating IT support: "Hi, this is Mike from the helpdesk. We're seeing some unusual activity on your account — just approve that prompt so we can verify it's you." The employee, now confused and reassured simultaneously, complies.

Approval feels harmless. Unlike clicking a link in a phishing email (which many employees now recognize as risky), tapping "Approve" on a phone notification feels routine and low-stakes. The implicit trust in push notifications is the weapon.

The Anatomy of an MFA Fatigue Attack: Step by Step

Understanding how these attacks unfold is the first step to stopping them. Here's a typical attack chain:

1. Credential acquisition. The attacker purchases or obtains the target's email and password from a dark web marketplace, credential dump, or prior phishing attack.

2. Reconnaissance. The attacker identifies the MFA method in use. Push notification apps (Microsoft Authenticator, Duo, Okta Verify) are the primary targets. Hardware tokens and passkeys are largely immune.

3. Push bombardment. The attacker begins triggering authentication attempts continuously. Each attempt sends a push notification to the victim's enrolled device.

4. Social engineering escalation. If the victim doesn't approve after the initial wave, the attacker may follow up via WhatsApp, text, email, or phone — impersonating IT support and applying additional pressure.

5. Access and lateral movement. The moment the victim approves one notification, the attacker has authenticated access. From there, they pivot to internal systems, escalate privileges, and move quickly before anyone notices.

The entire sequence can take under two hours.

How to Defend Against MFA Fatigue Attacks

1. Switch to Phishing-Resistant MFA Methods

Push notification-based MFA is the primary target of fatigue attacks. Where possible, migrate to:

• FIDO2 / Passkeys — cryptographic hardware keys (YubiKey, Windows Hello, Face ID) that are bound to the specific site and cannot be triggered remotely.
• Certificate-based authentication — similarly resistant to remote manipulation.
• Number matching prompts — a modern feature in Microsoft Authenticator and Duo that requires the employee to enter a number displayed on the login screen into the app, defeating automated bombing because the attacker can't display the right number.

2. Enable Additional Context in Push Notifications

Modern MFA apps allow you to display extra information with each push: the geographic location of the login attempt, the device type, and the application being accessed. Employees should be trained to scrutinize this information. If the push shows a login from Romania and the employee is sitting in Chicago, they should deny and report immediately.

3. Limit Push Notification Rate

Configure your MFA platform to throttle or temporarily lock out accounts after a certain number of failed authentication attempts in a short window. Most enterprise MFA solutions (Okta, Microsoft Entra ID, Duo) support this natively — but it often isn't enabled by default.

4. Train Employees to Deny and Report

This is where security awareness training becomes mission-critical. Employees need to understand:

• They should NEVER approve an MFA push they didn't personally initiate.
• An unexpected push is a signal of a breach attempt — not a glitch.
• They should deny the request and immediately report it to IT security.

PhishDefense's simulation platform includes MFA fatigue simulation scenarios that let your security team safely test whether employees recognize and correctly respond to unexpected push notifications — before a real attacker tests them first.

5. Simulate MFA Fatigue Scenarios Before Attackers Do

Most phishing simulations focus on email links and attachments. But today's threat landscape demands that you also test whether employees know how to handle push bombing and accompanying vishing calls. A combined simulation — a wave of fake MFA push attempts followed by a vishing call from your simulated "IT helpdesk" — gives your team a realistic rehearsal for the exact attack chain Uber and Cisco faced.

PhishDefense offers vishing simulations that replicate this exact scenario, measuring how many employees approve rogue prompts and how many report correctly.

Red Flags Every Employee Should Memorize

Train your team to treat the following as immediate red flags requiring escalation — never approval:

• An MFA push arrives when you are not actively logging in
• Multiple pushes arrive in rapid succession
• You receive a phone call, text, or WhatsApp message from "IT support" asking you to approve a push
• The push notification shows an unfamiliar location, device, or application
• Someone asks for your one-time code or tells you to "ignore the weird prompts"

Print these on a card. Put them in onboarding. Repeat them in quarterly training. The single most powerful defense against MFA fatigue is an employee who confidently says: "I didn't initiate this. I'm denying it and calling IT right now."

The Bigger Picture: MFA Is Necessary but Not Sufficient

MFA fatigue attacks don't mean you should abandon multifactor authentication. Quite the opposite — MFA remains one of the highest-value security controls you can deploy, and organizations without it are far more exposed to automated attacks.

But MFA fatigue is a powerful reminder that technology protects systems; training protects people. The human layer is always in the loop, and attackers know it. Any security strategy that treats MFA as the final answer — rather than one layer in a human-aware defense — is leaving a door open.

The most resilient organizations pair strong technical controls with continuous, realistic training that prepares employees for exactly the scenarios attackers are deploying right now. Not theoretical threats from a textbook. Real attack chains that have already taken down billion-dollar companies.

Is Your Team Ready to Resist an MFA Fatigue Campaign?

There's only one way to find out — before an attacker does it for you.

PhishDefense helps security teams simulate MFA fatigue scenarios, vishing calls, and multi-channel phishing attacks so your employees build real muscle memory for denying and reporting. Our platform tracks who approved, who denied, who reported, and turns every simulation into a targeted training moment.

👉 Talk to our team about MFA fatigue simulations — and find out how many of your employees would have unlocked the door.