An MFA fatigue attack (also called MFA bombing or push bombing) is a social engineering tactic where attackers who have obtained a victim's credentials repeatedly send multi-factor authentication push notification requests to the victim's mobile device or authenticator app, hoping the victim will eventually approve one of the requests to stop the barrage of notifications.
How an MFA fatigue attack works
An attacker obtains the victim's login credentials through phishing, a data breach, credential stuffing, or other means.
The attacker attempts to log into the victim's account, which triggers MFA push notifications to the victim's registered device.
The attacker repeatedly triggers the authentication process, sending a continuous stream of push notifications to the victim's device—sometimes dozens or hundreds of requests over a short period, often during late night hours when the victim may be sleeping.
The victim, overwhelmed by the notifications or woken from sleep, approves a push request simply to stop the interruptions, or is deceived into thinking one of the requests is legitimate.
The attacker gains full access to the account, often then changing credentials and removing MFA to maintain persistent access.
In some notable attack cases, attackers combined MFA fatigue with direct phone calls to employees, impersonating IT support and instructing them to approve the authentication requests. This hybrid social engineering approach proved highly effective even against technically sophisticated organizations.
To defend against MFA fatigue attacks, organizations should
Implement number matching or additional context in push notifications (requiring users to enter a code displayed on the login screen)
Use phishing-resistant MFA methods such as FIDO2/WebAuthn hardware keys
Set limits on MFA attempt frequency
Monitor for unusual MFA activity patterns
Train employees to never approve MFA requests they did not initiate
Pangratis detects account takeover attempts including those facilitated by MFA fatigue by monitoring for anomalous authentication patterns and post-compromise account behavior.