
An MFA fatigue attack — also called push bombing — is brutally simple: a criminal who already has your password triggers sign-in prompt after sign-in prompt, flooding your phone with approval requests until you tap yes just to make it stop. It defeated the defenses of several household-name companies last year, and it works exactly the same against a 20-person firm.
How a push-bombing attack unfolds
- The attacker obtains a password. Usually from a phishing page or from the billions of credentials circulating out of old breaches.
- They script sign-in attempts. Each one fires a push notification to the victim’s authenticator app. Ten prompts. Thirty. Sometimes at 2 a.m., sometimes spaced through a workday.
- They add a story. In the highest-profile case last fall, the attacker messaged the employee claiming to be from IT, promising the prompts would stop once accepted.
- Someone taps Approve. Annoyance, sleepiness or the fake IT story does the work. The attacker is now inside with valid credentials — and most alarms stay quiet.
Why MFA fatigue works so well
Push approval was designed for convenience: see prompt, tap yes. After a thousand legitimate taps, the gesture becomes muscle memory with no thought attached — the attack simply weaponizes your own reflex. The prompt also carries almost no context; a generic approval request looks identical whether it’s you in the next room or a criminal on another continent.
Timing does the rest. Attackers fire prompts when judgment is weakest — overnight, mid-commute, mid-meeting — and a single approval is all they need. Across a hundred targeted employees, someone is always tired enough.
And because the sign-in uses a real password plus a real MFA approval, it registers as a normal login. Unless someone is watching for the burst of denied prompts that precedes the breakthrough, the first visible symptom may be a fraudulent wire request sent from a legitimate mailbox.
How to shut push bombing down
None of these fixes require new products — they’re settings and habits layered onto the MFA you already own:
- Turn on number matching. Instead of tapping Approve, the user types a two-digit code shown on the sign-in screen — impossible to do by accident. Microsoft has been rolling this out as the default behavior for Authenticator, and it’s the single best quick fix.
- Add context to prompts. Showing the application name and sign-in location turns a blind tap into an informed decision.
- Limit and lock. Cap denied or failed MFA attempts so a barrage locks the account and raises an alert instead of wearing the user down.
- Use conditional access. Block sign-ins from countries you don’t operate in and flag impossible-travel logins.
- Move VIPs to phishing-resistant MFA. Hardware security keys remove the approval decision entirely for admins, executives and finance staff.
- Train the response. One rule for staff: a prompt you didn’t cause means your password is stolen. Deny it and call IT immediately — the prompts are the alarm bell.
If it’s happening to you right now
Don’t approve anything — not even once, not even to silence the phone, because silencing you is exactly what the attacker is counting on. Change the affected password from a device you trust, tell whoever handles your IT so they can revoke active sessions, and treat any follow-up call or text claiming to be from support as part of the attack. Preserve the sign-in logs, too; the source addresses and timing tell responders how determined the attacker is. At NetSys, a burst of denied MFA prompts on a client account pages a real engineer within minutes, at any hour — that’s the response speed this threat demands.
Key takeaways
- MFA fatigue starts with a stolen password and wins through sheer annoyance.
- A prompt you didn’t trigger is proof your password is compromised — deny it and report it.
- Number matching kills the blind Approve tap and is rolling out in major authenticator apps now.
- Rate limits, sign-in context and conditional access turn the attack into an alarm.
- Give admins and executives hardware keys — those accounts are worth the upgrade.
Not sure your MFA setup would survive a determined push-bombing run? Our cybersecurity services team can harden it in a single afternoon.
Turn insight into action.
Take a free cybersecurity or AI readiness assessment, or book a call with a NetSys engineer — no obligation, no runaround.



