MFA fatigue attacks: how push bombing defeats MFA, and how to stop it

MFA fatigue, also called push bombing, is how attackers beat multi-factor authentication without breaking it. They already have the password. They just wait for the user to approve a prompt.

How the attack works

The attacker has a valid password, usually from a spray or a phishing kit. They sign in repeatedly, each attempt firing a push notification to the user’s authenticator app. The user, annoyed or assuming a glitch, eventually taps Approve. That single approval hands the attacker the session. When the account is a Global Admin, the tenant goes with it. In ATT&CK terms this is T1621, Multi-Factor Authentication Request Generation.

How to detect it

Look in the Entra sign-in logs for bursts of MFA challenges to one user in a short window, especially a run of denials followed by an approval, and prompts coming from unfamiliar locations or IPs while the user is elsewhere. That pattern is the fatigue attack in progress.

How to stop it

Number matching in Microsoft Authenticator breaks the simple approve reflex, because the user must type a number shown on the sign-in screen, which the attacker does not control. Better still, move privileged and high-value accounts to phishing-resistant MFA such as FIDO2 security keys or passkeys, which cannot be pushed at all. Add Conditional Access to constrain where sign-ins are allowed, and show extra context (app and location) in the prompt so users can recognize a request they did not start.

For leaders

The accounts worth hardening first are the privileged ones. A push-bombed Global Admin is a tenant-level event, so phishing-resistant MFA for admins is not a nice-to-have.

Practice it

We built this scenario in GraphLattice Range so teams see the prompt storm, make the containment call, and roll out the controls that end it.