Multi-factor authentication was supposed to solve the problem. For a while, it did. Add a second factor — a text message code, a push notification — and your accounts became meaningfully harder to crack. Security teams celebrated adoption rates. Insurance carriers started requiring it. The advice became universal: turn on MFA, stay safe.
The attackers caught up. MFA fatigue attacks — also called push bombing — have become one of the most effective account-takeover techniques in active use today. They don’t break your second factor. They exploit the person behind it. And because most organizations are still running the same push-based MFA they deployed three years ago, millions of business accounts are exposed to an attack vector their IT teams believe they’ve already closed. Understanding MFA fatigue attacks is now a baseline requirement for any organization that takes its security posture seriously.
This post breaks down exactly how these attacks work, who’s been hit, what the breach data shows, and — most importantly — what defensive posture actually neutralizes the threat.
- How MFA Fatigue Attacks Work
- OAuth Consent Phishing: The Quieter Cousin
- Who Is Being Hit — And the Data Behind It
- Why SMS and Basic Push Are the Weak Link
- What Actually Works: The Defense Stack
- Questions to Ask Your IT Firm
- Frequently Asked Questions
How MFA Fatigue Attacks Work
The mechanics are almost insultingly simple. An attacker obtains a valid username and password — through a data breach, a credential-stuffing campaign, or a basic phishing email. With those credentials in hand, they trigger your MFA system repeatedly, flooding the target employee’s phone with push approval requests. This is the defining characteristic of MFA fatigue attacks: the authentication system itself is never broken.
Most employees, confronted with ten or twenty “Did you just sign in?” notifications at 11 PM, will eventually tap Approve — either because they assume it’s a glitch, because they want the alerts to stop, or because they’re half-asleep and not paying attention. That single tap hands the attacker a fully authenticated session.
Some attackers go further: they call the target directly, claim to be from the company’s IT department, and instruct them to approve the pending notification to resolve a system issue. The push request is already on the screen. The employee complies. Access granted.
This is not a theoretical exploit. It is the documented technique behind some of the highest-profile breaches of the last three years, and the reason MFA fatigue attacks now appear by name in CISA advisories, FBI threat bulletins, and cyber-insurance underwriting checklists.
OAuth Consent Phishing: The Quieter Cousin
Push bombing is loud and blunt. OAuth consent phishing is its more surgical sibling — and in many ways more dangerous, because it leaves fewer immediate red flags.
In an OAuth consent phishing attack, the attacker sends a phishing email linking to a legitimate-looking Microsoft, Google, or other identity provider login page. The user signs in with their real credentials — triggering real MFA, which they legitimately approve. But the page then presents an OAuth permission dialog: “This app would like access to your email, calendar, and files.”
The user clicks Accept, believing they’re authorizing an internal tool. What they’ve actually done is grant a malicious third-party application persistent access to their account — access that survives password changes, MFA resets, and most detection efforts, because the token is legitimate. No credentials were stolen. No password needs to be reset. The attacker uses the app’s delegated access until someone revokes it.
While OAuth consent phishing is technically distinct from classic MFA fatigue attacks, both exploit the same root vulnerability: a user conditioned to approve authentication prompts without scrutiny. CISA and Microsoft have both issued advisories on this technique. Microsoft’s own threat intelligence team documented a 2022 campaign in which over 10,000 organizations were targeted using adversary-in-the-middle phishing kits that captured session tokens after successful MFA — making standard MFA irrelevant to the attack chain entirely.
Who Is Being Hit — And the Data Behind It
The short answer: any organization running email. But specific breach events have put MFA fatigue attacks on the map as a named, documented threat technique.
Uber (September 2022). An 18-year-old attacker obtained an Uber contractor’s credentials through a third party, then bombarded the contractor with push approval requests for over an hour. When the contractor didn’t approve, the attacker reached out via WhatsApp, claimed to be Uber IT support, and told them to approve the pending notification. The contractor did. The attacker accessed Uber’s internal systems, vulnerability reports, and internal Slack. Uber’s post-incident report confirmed the push bombing technique explicitly.
Cisco (May 2022). A Cisco employee’s personal Google account — which had saved Cisco VPN credentials — was compromised. The attacker launched a sustained push bombing campaign against the employee. After one approval, the attacker was inside Cisco’s network. Cisco’s security team documented the full attack chain publicly, noting the attacker used voice phishing to supplement the push fatigue campaign.
Lapsus$ (2022–2023). The Lapsus$ group — responsible for breaches at Microsoft, NVIDIA, Okta, Samsung, and T-Mobile, among others — used MFA fatigue attacks as a core tactic. Some members were teenagers. They breached some of the most technically sophisticated organizations in the world by targeting the human layer that standard MFA leaves wide open.
The FBI’s Internet Crime Complaint Center 2023 report recorded over $12.5 billion in total cybercrime losses — with business email compromise and account takeover representing the largest categories. MFA bypass techniques, including push bombing, are now standard elements of those attack chains.
According to CISA’s phishing-resistant MFA guidance, SMS-based and push notification MFA are not considered phishing-resistant and should be replaced with stronger alternatives where possible. Microsoft’s Security Blog has similarly documented how adversary-in-the-middle techniques render conventional MFA controls insufficient against determined attackers.
Why SMS and Basic Push Are the Weak Link in MFA Fatigue Attacks
To understand why SMS and standard push notifications fail against modern attacks, it helps to be precise about what these second factors actually verify.
SMS codes verify that someone has access to the phone number tied to the account. They don’t verify that the person entering the code is the legitimate account holder, that the site requesting the code is legitimate, or that the code isn’t being intercepted in real time. SIM swapping — where an attacker convinces a carrier to transfer your phone number to their device — renders SMS codes useless. Real-time phishing kits can also relay SMS codes to an attacker’s session faster than the code expires.
Basic push notifications — the simple “Approve / Deny” screen with no additional context — are the most directly vulnerable to MFA fatigue attacks because they require zero cognitive engagement. There’s no number to match, no context about which application is being accessed, no location information. The entire security model depends on the user paying close attention and never accidentally tapping Approve. That’s not a security control. That’s a wish.
Both methods share a fundamental flaw: they don’t verify the legitimacy of the site requesting authentication. A convincing phishing page that relays credentials and MFA codes in real time can defeat both entirely. This is precisely why MFA fatigue attacks and adversary-in-the-middle techniques are increasingly paired in the same attack chain.
What Actually Works: The Defense Stack Against MFA Fatigue Attacks
The industry has converged on a clear set of controls that actually neutralize MFA fatigue attacks. None of them require replacing your entire identity platform. Most organizations running Microsoft 365 or Google Workspace already have the technical capability — they just haven’t configured it.
1. Number Matching
Number matching is the single most immediate upgrade available to most organizations running push-based MFA. Instead of a simple Approve/Deny screen, the authenticator app displays a two-digit number. The user must type that exact number into the app to approve. This eliminates passive approvals entirely — a user who didn’t initiate the sign-in won’t know the correct number and cannot accidentally approve a fraudulent request. Number matching directly counters MFA fatigue attacks by requiring active, informed participation from the user.
Microsoft made number matching the default behavior for Microsoft Authenticator in May 2023. If your organization is still on the old behavior, that needs to change immediately. This is a configuration setting, not a product purchase.
2. Additional Context in Push Notifications
Alongside number matching, showing the geographic location and application name in the push notification gives users meaningful context to evaluate whether a request is legitimate. A notification that reads “Sign-in request from Lagos, Nigeria — Microsoft SharePoint” is far more likely to be denied than one that says “Approve sign-in?” Context-rich notifications reduce accidental approvals — one of the primary mechanisms that makes MFA fatigue attacks work.
3. Phishing-Resistant Authentication: FIDO2 and Passkeys
This is the gold standard defense against MFA fatigue attacks and adversary-in-the-middle techniques simultaneously. FIDO2 security keys (hardware devices like YubiKeys) and passkeys (the same cryptographic standard, implemented on a device) are cryptographically bound to a specific domain. A FIDO2 credential generated for login.microsoftonline.com will not authenticate on a lookalike phishing page — the domain mismatch is detected at the cryptographic layer, not by the user’s judgment.
This defeats push bombing, SMS interception, SIM swapping, and adversary-in-the-middle attacks simultaneously. CISA explicitly recommends phishing-resistant authentication as the target state for all organizations. The White House’s Office of Management and Budget has mandated it across federal agencies. The private sector is following.
Passkeys are increasingly supported across Microsoft, Google, Apple, and most major identity platforms — and they eliminate passwords entirely. When a user has no password, credential stuffing and password-based attacks — the prerequisite for most MFA fatigue attacks — become impossible by definition.
4. Conditional Access Policies
Conditional access is the policy layer that sits between a successful authentication event and actual access to resources. Even if an attacker obtains a valid session token through MFA fatigue attacks or adversary-in-the-middle techniques, well-configured conditional access policies can block or flag the session based on device compliance, network location, sign-in risk score, and application sensitivity.
Key policies that directly counter MFA bypass attacks include blocking sign-ins from unmanaged devices, requiring re-authentication for high-sensitivity applications, and applying stricter authentication requirements when sign-in risk is elevated.
5. Impossible Travel and Anomalous Sign-In Alerts
If an account authenticates from Philadelphia at 9 AM and then from Eastern Europe at 9:15 AM, something is wrong. Impossible travel detection — available in Microsoft Entra ID Protection, Google Workspace’s advanced security features, and most enterprise identity platforms — flags these events automatically and can be configured to trigger step-up authentication or block the session entirely.
This won’t stop an attacker routing through a U.S.-based proxy, but it catches a significant share of opportunistic MFA fatigue attacks that originate from overseas infrastructure.
6. OAuth Application Governance
To counter OAuth consent phishing specifically, organizations need visibility into which third-party applications have been granted access to their environment — and the ability to revoke that access quickly. Microsoft Defender for Cloud Apps and Google’s built-in OAuth app review tools both provide this. Blocking user-initiated OAuth consent entirely — requiring administrator approval for any new app grant — is the most aggressive and effective control, and appropriate for most small and mid-sized businesses.
You can see how we layer these controls for clients on our cybersecurity services page.
Questions to Ask Your IT Firm About MFA Fatigue Attacks
If you want to know whether your current IT provider has actually closed the MFA fatigue gap, ask these questions directly. The answers will tell you more than any audit report.
- Have you enabled number matching on our push MFA? If the answer is “we need to check,” it hasn’t been done.
- Do we have conditional access policies configured? Ask them to walk you through what those policies block. Vague answers are a red flag.
- Are we moving toward phishing-resistant authentication? What’s the timeline? Which user populations are prioritized first?
- Can you show me our OAuth app inventory? Do we know every third-party application with access to our Microsoft 365 or Google Workspace environment?
- Are impossible travel alerts configured and monitored? Who reviews them? What’s the response when one fires?
- When did you last audit our identity security posture? If the answer is “we monitor continuously,” ask what that monitoring actually surfaces — and what happened the last time it flagged something.
None of these questions require technical expertise to ask. But the quality of the answers will tell you whether your IT firm is operating at the level your business actually needs — and whether your organization is genuinely protected against MFA fatigue attacks or simply checking a box.
At Xact IT Solutions, we’ve spent more than 20 years building environments that don’t generate drama — no breaches, no board-level surprises, no middle-of-the-night incident calls. Zero client breaches in over two decades is a record we don’t take lightly. It’s built on exactly this kind of layered identity security — not on deploying MFA and calling it done.
If you want a direct conversation about where your current MFA posture stands and what it would take to close the gaps, Book a Free Cybersecurity Strategy Call. It’s a 20-minute conversation with our team — no sales pressure, no obligation.
Let’s Talk About Your IT Strategy
If anything in this post raised a question about your own environment, the fastest path to an answer is a 20-minute strategy call. We’ll look at your specific situation and tell you what we’d actually do about it.
Frequently Asked Questions
What exactly are MFA fatigue attacks and how do they work?
MFA fatigue attacks — also called push bombing — occur when an attacker who already has a valid username and password repeatedly triggers push notification approval requests to the account holder’s phone. The goal is to overwhelm or frustrate the user into tapping “Approve” — handing the attacker an authenticated session without ever breaking the MFA system itself. The attack exploits human behavior, not a technical flaw in the authentication protocol.
Does enabling MFA still make sense if MFA fatigue attacks can bypass it?
Yes — any MFA is significantly better than none. MFA fatigue attacks require an attacker to already have your password, and they only work against certain MFA types. The answer isn’t to abandon MFA; it’s to upgrade to stronger forms: number matching at minimum, and phishing-resistant options like FIDO2 security keys or passkeys as the target state. Basic push and SMS are the weak links — not multi-factor authentication as a concept.
What is the most effective defense against MFA fatigue attacks today?
The most effective defense against MFA fatigue attacks is phishing-resistant MFA — specifically FIDO2 security keys or passkeys. These are cryptographically bound to the legitimate domain and cannot be relayed or spoofed by an attacker. In the near term, enabling number matching on existing push-based MFA eliminates passive approvals and is the most impactful immediate improvement available to most Microsoft 365 and Google Workspace environments. Conditional access policies and impossible travel alerts add additional layers of defense.
How is OAuth consent phishing different from a standard MFA fatigue attack?
OAuth consent phishing doesn’t try to steal your session — it tricks you into voluntarily granting a malicious application persistent access to your account. The user goes through a legitimate login and MFA flow, then approves a permission dialog that grants a third-party app access to email, files, or calendars. Because the access token is legitimate, it survives password resets and MFA changes. Unlike a direct MFA fatigue attack, no repeated push requests are sent — which makes it harder to detect. The defense is blocking or tightly restricting user-initiated OAuth app consent in your identity platform’s admin settings.
Are small and mid-sized businesses really targeted by MFA fatigue attacks, or is this mainly an enterprise problem?
MFA fatigue attacks are heavily automated and target any organization running push-based MFA — regardless of size. Attackers purchase credential lists from dark web markets and run automated push bombing campaigns at scale. Small and mid-sized businesses are frequently targeted precisely because they’re less likely to have the advanced identity security configurations that larger enterprises deploy. The FBI’s annual Internet Crime report consistently shows that smaller organizations account for a significant share of business email compromise and account takeover losses.