MFA Fatigue Attacks

An MFA fatigue attack turns a security measure into a weapon against the people it’s meant to protect. Attackers bombard users with repeated multi-factor authentication (MFA) push notifications after stealing their login credentials. In the end, the target user grows fatigued by the constant interruptions and accepts the login request, granting the attacker access.

An MFA Fatigue Attack is a type of social engineering attack against a legitimate user in which an attacker uses persistence and overloading to disrupt the user’s ability to log in. An attacker can obtain valid user credentials by using various methods, including but not limited to phishing, purchasing on the Dark Web, or brute force methods for login attempts.

Once an attacker has obtained valid user credential information, they then send a large volume of MFA push notifications to the targeted user at a high frequency rate to cause the user to become annoyed, disoriented, and/or fatigued enough to approve a fake login attempt simply to end the barrage of notifications.

MFA fatigue attacks differ from normal exploitation in that, instead of targeting a software bug or network vulnerability, they target the system’s user. The authentication process is functioning properly; however, the individual behind the system has been sufficiently annoyed, disoriented, or fatigued to make a poor decision regarding their login attempt based upon the constant barrage of authentication requests.

Also referred to as MFA bombing, MFA push spam, or prompt bombing, the MFA fatigue attack uses the same tactics, regardless of the name. The user receives multiple legitimate-looking authentication requests, and when the user selects “approve” for one of the requests, they have done so without sufficient thought.

Proofpoint’s Brian Gleeson summarizes it best: “Sometimes, attackers will choose to take an in-your-face approach that is not very creative or technical. MFA fatigue attacks fall into that category.” The effectiveness comes from how common MFA requests are in everyday work. People log in to different apps and platforms several times a day. When push notifications arrive at a busy time or reach an unsuspecting target, people often accept them without thinking. Attackers use these exploits to make their fake requests appear to be routine security procedures.

Fatigue-based MFA attacks follow a predictable series of events involving both technical tactics and human responses. Technically, it seems straightforward. What makes it work is how humans react when under duress.

Step 1: Credential compromise or theft

The attack begins when someone obtains valid credentials that aren’t theirs. Phishing, credential stuffing against reused passwords, or buying large credential dumps from the dark web are all common ways for enemies to get usernames and passwords. At this point, everything in the environment looks fine because the attacker is using “real” credentials that belong to a real user.

Step 2: Login attempt triggers MFA

The next step for the attacker is to use the stolen credentials to log into a cloud app, a VPN, an SSO portal, or an identity provider. The identity platform does what it’s supposed to do. It sends a second factor, which is usually a push notification or in-app prompt to the user’s phone or authenticator app. This is a normal sign-in flow for the platform, not an exploit.

Step 3: Repeated prompts (“bombing”)

Rather than stopping at a single failed login attempt, attackers continue to leverage volume by either scripting the attempts manually to repeatedly submit their compromised credentials, which subsequently results in a continuous barrage of MFA prompts being sent to the user’s device every few seconds or minutes, and/or continuously for hours.

Step 4: User fatigue, confusion, or urgency

Over time, the repeated requests cause the user to become increasingly fatigued, confused, and/or concerned about something being wrong. When users find themselves in this emotional and mental state, they tend to approve the MFA prompt simply to remove the annoyance caused by the persistent notifications. In some cases, attackers further exacerbate the situation by impersonating an IT or help desk representative and instructing the user to approve the MFA prompt to “resolve an issue” or “avoid account lockout.”

Step 5: Unauthorized access

Once a single MFA prompt is approved, the attacker gains unapproved access to the targeted resource. As long as the attacker maintains an active authenticated session, they will be able to move laterally and gain unauthorized access to resources, steal sensitive information, modify configuration options, and add additional access without facing another MFA challenge.

In many instances, the MFA push notification represents the sole secondary authentication challenge for users. Therefore, the single approval-or-denial decision is a significant vulnerability for users that malicious actors understand how to exploit.

MFA fatigue attacks are a growing concern because they target one of the most trusted security layers. Push-based MFA is becoming standard for cloud apps and identity platforms. Instead of concentrating on the technology, attackers simply adjust and focus on the individual involved. This moves the technical problem (“MFA is misconfigured”) to the human risk (“MFA is working as it should, but users are getting too many prompts”).

The problem is mainly caused by how people act. Even users who are experienced and aware of security can get tired, distracted, or go on autopilot at times. In a long workday filled with notifications, it only takes one reflexive tap on “approve” for an attacker to turn a control into an entry point. As Proofpoint research reveals, “almost half of all accounts that were taken over by bad actors had MFA configured. Yet 89% of security professionals consider MFA a complete protection against account takeover.” This disconnect between perception and reality is dangerous.

Once an attacker gets the credentials, it’s really easy to create MFA push spam and get paid well for this effort. The barrier to creating a successful attack is much lower than developing an advanced exploit. It’s relatively easy to create a script that will continuously attempt to log in and generate enough noise to cause a user to give up.

MFA fatigue was the primary reason behind high-profile breaches of companies such as Cisco, Uber, and Microsoft. In all of these breaches, users accepted fake push prompts due to pressure. These examples demonstrate that even one step in a “approve/deny” process may be broken if users are fatigued by that same process.

Many organizations rely completely upon push-to-approve MFA as their last layer of protection. When push notifications become overwhelming or routine, users approve requests without scrutiny—undermining the very controls security leaders consider essential.

Early detection stops attackers before they gain access. Security teams and end users should watch for these warning signs of unusual login activity.

• Multiple MFA push notifications in a short time (without user-initiated login attempts). If a user gets five, 10, or more push notifications in a short time and isn’t trying to sign in, an attacker is likely using stolen credentials to attack the login endpoint.
• MFA prompts arriving at unusual times or outside working hours. Authentication requests at 2 a.m. or during vacation days when the user is offline suggest someone else is attempting access from a different time zone or location.
• “Approve / Deny” style MFA without contextual information. Prompts that lack details like the requesting device, location, IP address, or a number-matching challenge make it easier for users to approve without scrutiny.
• Login attempts from devices or locations that the user doesn’t recognize, followed by MFA prompts. Authentication logs that show sign-in attempts from a country or device the user has never used, along with push notifications, are strong signs that the account has been hacked.
• Repeated prompts on different devices or services. Attackers may go after more than one account or platform at the same time to improve chances of success. If you get multiple MFA requests in a short amount of time from work apps, VPNs, or cloud services, tell someone immediately.
• Users report getting MFA prompts that they can’t stop or turn off. If a legitimate user tries to stop the flood of notifications, but the requests keep coming, the attacker is using automated tools.
• Follow-up messages asking the user to approve a pending MFA request. Attackers sometimes use voice phishing or messaging along with MFA bombing, pretending to be help desk staff to get people to agree to things during the chaos.

These indicators give SOC and IT teams useful information that they can use to find possible MFA fatigue campaigns that are already going on. When security teams look for patterns like sudden increases in login speed, strange geographic locations, and user complaints about too many prompts, they can step in before an attacker gets a foothold.

To stop MFA fatigue attacks, you need both technical controls and people who are aware of them. The goal is to make it harder for attackers to use the “approve/deny” flow while giving users and security teams better tools to spot and stop these campaigns.

Use Phishing-Resistant MFA Methods

Simple push notifications that only ask users to approve or deny are vulnerable by design. Organizations should shift to phishing-resistant MFA options like number-matching push prompts, where users must enter a code displayed on the login screen into their authenticator app. Hardware security keys (FIDO2/WebAuthn) and certificate-based authentication eliminate the human decision point entirely, since they rely on cryptographic proof rather than user approval.

Limit MFA Request Volume and Login Attempts

MFA bombardment may be easier to mitigate by using rate limits. A simple method is to implement the following restrictions: Restrict how many MFA challenges (and therefore potential attacks) you allow from one account within a short period of time (such as 1-5 challenges in an hour). When a user exceeds this number of attempts, the system can block the account for a short period of time, alert security personnel, and/or require additional authentication before letting the user attempt logging in again.

Monitor Authentication Logs for Abnormal MFA Activity

Security teams need to be able to quickly identify significant increases in MFA request activity, as this is an indicator that something is wrong with the user’s account. SIEMs, anomaly detection tools, and identity threat detection systems can alert on abnormal patterns such as pushing a large number of push notifications to one user at once, login attempts coming from unknown locations, or authentication requests outside of work hours. Identifying these abnormal patterns early allows the SOC team to step in and possibly prevent the user from giving up.

User Education and Awareness Training

Even the best technical controls won’t work if users don’t know what the threat is. Security awareness programs should make it clear that MFA fatigue attacks are a real threat and teach employees to never approve unexpected MFA prompts, especially when they’re under pressure or getting a lot of notifications. Instead of trying to stop the prompts by approving one, users should know to report strange behavior right away.

Apply Least-Privilege Access and Restrict High-Risk Accounts

If an MFA fatigue attack works, it can do less damage if you follow the least-privilege principle. Limit administrative and privileged accounts to only the people who need them, and make it harder for those people to log in. Consider requiring hardware tokens or context-aware authentication for high-value accounts. This will limit the damage from someone accidentally approving a malicious prompt.

Adopt Context-Aware and Adaptive Authentication

If you only use push-based MFA, you have a single point of failure. Before giving someone access, organizations should employ least-privilege principles and integrate more authentication to address risk signals. Context-aware authentication systems check things like the health of the device, the IP reputation, the user’s location, and their behavior patterns to see if a login attempt is real.

For instance, if someone tries to log in from a new country at 3 a.m. using a device that isn’t recognized, the system can ask for more proof of identity before sending an MFA prompt. This stops attackers from even being able to start the flood of notifications in the first place.

Proofpoint takes a defense-in-depth approach to combat MFA fatigue attacks by layering multiple security controls. This enterprise-wide solution identifies suspicious login behavior, prevents phishing attacks that launch MFA bombing campaigns, and educates end-users to recognize threats before they become victims—reducing the burden on security teams responding to identity-based attacks. For further information on how to protect your organization from these types of threats, contact Proofpoint.