September 29, 2025

The Rising Threat of MFA Bombing in 2025: Understanding and Defending Against Push‑Notification Fatigue

The Rising Threat of MFA Bombing in 2025: Understanding and Defending Against Push‑Notification Fatigue

The Rising Threat of MFA Bombing in 2025: Understanding and Defending Against Push‑Notification Fatigue

Introduction

Multi‑factor authentication (MFA) is one of the most effective ways to stop credential‑based attacks. It adds a second or third factor to the login process so that stolen passwords alone cannot be used to break in. Yet attackers continuously adapt, and 2025 has seen a surge in MFA bombing (also known as push fatigue or MFA spamming), where criminals inundate a user’s authenticator with repeated prompts until the victim clicks “approve.” Cyber‑crime analysts note that this attack starts with stolen credentials and then leverages human impatience and confusion to bypass MFA. This article explains how MFA bombing works, why it has become a major threat, and how organizations can defend against it with up‑to‑date best practices.

How MFA Bombing Works

MFA bombing is a social‑engineering tactic that exploits weaknesses in push‑based authentication. Attackers first obtain valid usernames and passwords through phishing emails, credential stuffing, malware or purchased credentials. With those credentials, they log in repeatedly so that the system triggers MFA prompts. Victims begin to receive dozens or even hundreds of notifications via authenticator apps, SMS codes or email. The goal is to wear down the victim’s patience; eventually they may approve a request out of frustration, distraction or confusion. Some campaigns add a social‑engineering twist: the attacker impersonates IT support via phone or chat and claims the bombardment is a routine security test, coercing the user to click “approve”. The MITRE ATT&CK framework labels this tactic “Multi‑Factor Authentication Request Generation” (T1621), illustrating that it is a distinct adversarial technique.

Once a single approval is granted, the attacker gains full access to the target account, often without triggering alerts. This technique was behind high‑profile breaches in 2022, including Uber and Cisco, where attackers combined push bombing with voice phishing to persuade employees to approve rogue logins. In some cases criminals even call victims from spoofed support numbers after sending hundreds of notifications, convincing them to hand over one‑time passwords. By 2025, ransomware crews like Scattered Spider and Muddled Libra have adopted MFA bombing as a standard part of their playbook.

Why MFA Bombing Works

  1. Human psychology and alert fatigue – Push prompts are designed to be quick and non‑intrusive, but repeated interruptions induce fatigue. People under cognitive overload may reflexively click approve or forget whether they initiated a login, especially when notifications arrive at odd hours. Attackers exploit this by spamming requests until the victim’s patience wears thin. Behavioral scientists note that humans treat repeated signals as noise and become desensitized, creating opportunities for social engineers.
  2. Low detection signal – Each MFA request appears legitimate when viewed individually. Security monitoring tools may not flag multiple rapid requests if they come from an expected app, allowing the attack to blend into normal authentication traffic. Without rate‑limiting, a user can be bombarded indefinitely.
  3. Social engineering – Attackers often couple MFA bombing with phone calls or messages impersonating IT support. Victims are told that approving the request will stop the notifications or is needed for system maintenance. Deep‑fake voice clones add realism; by 2025 AI‑powered impersonation scams have surged by 148 %, making it harder for victims to distinguish real from fake. SC Media reports that threat actors also use AI‑generated deepfake audio of executives to trick employees into approving fraudulent actions.
  4. Credential theft and session hijacking – MFA bombing is only possible because attackers already have valid credentials. The 2025 Verizon DBIR notes that 81 % of breaches involve weak or stolen passwords, while over 3.8 billion credentials were leaked in the first half of 2025. Attackers also bypass MFA through session hijacking and token theft by stealing OAuth tokens from an active browser session, sidestepping MFA entirely.

The 2025 Threat Landscape

MFA bombing is not an isolated problem; it is part of a broader identity‑attack landscape that has grown more complex in 2025. Incident response teams report that 79 % of business‑email‑compromise victims investigated in 2024–2025 had MFA enabled, demonstrating that MFA alone cannot stop adversaries. Cyber‑security firms estimate that around 25 % of recent attacks involve fraudulent MFA push notifications. Meanwhile, only about 38 % of Microsoft’s Entra ID accounts had MFA enabled in early 2024, suggesting widespread gaps in deployment. The popularization of passkeys, FIDO2/WebAuthn hardware keys and biometric authentication is slowly improving security, yet many organizations still rely on legacy push‑based MFA, leaving them vulnerable.

Threat actors are also blending MFA bombing with other techniques:

  • Social‑engineering and helpdesk impersonation – Attackers pose as IT support to reset MFA for privileged accounts. Unit 42’s 2025 report describes how “Muddled Libra” bypassed MFA by socially engineering help‑desk staff and escalating to domain‑administrator privileges within 40 minutes.
  • AI voice cloning and deep‑fake vishing – Fraudsters now use AI to replicate voices and faces. Yahoo reports that AI impersonation scams rose by 148 % in 2025; deepfake audio has been used to trick employees into authorizing payments.
  • SIM swapping and SMS interception – Attackers hijack phone numbers so that SMS‑based codes are delivered to the attacker rather than the user.
  • Session hijacking and token theft – Cybercriminals steal session cookies or OAuth tokens from web browsers, bypassing MFA entirely.

Defensive Strategies

Strengthen MFA Configuration

  • Enable number matching and additional context – Replace simple “approve/deny” buttons with a number‑matching challenge. Users must enter the number displayed on the login screen into the authenticator app, ensuring they only approve sessions they initiated. Microsoft enforced number matching in Entra ID in 2023.
  • Limit repeated prompts and lock accounts after multiple attempts – Configure MFA systems to rate‑limit authentication attempts. Fidelis notes that shortening authentication windows and blocking accounts after a set number of failed attempts can prevent attackers from spamming users. About InfoSec recommends allowing only a few push requests before a timeout.
  • Implement geolocation and risk‑based checks – Require additional verification when login attempts originate from unfamiliar locations or devices. Adaptive policies adjust prompts based on risk factors (time of day, IP reputation), reducing unnecessary prompts and cutting down fatigue.

Adopt Phishing‑Resistant MFA

  • Use hardware security keys and passkeys (FIDO2/WebAuthn) – Hardware tokens such as YubiKey, Feitian MultiPASS or Titan Security Keys are immune to push‑spamming because there is no “approve” button. Authentication requires a deliberate physical action such as inserting the key and touching it. The private key never leaves the device, thwarting phishing and man‑in‑the‑middle attacks. Netrix Global stresses that hardware keys provide strong protection against MFA bypass attacks. Passkeys (public‑key–based credentials bound to devices) offer a similar passwordless experience.
  • Deploy hardware OTP tokens where FIDO2 is impractical – One‑time‑password (HOTP/TOTP) hardware tokens generate codes offline, eliminating push notifications. While OTPs remain susceptible to real‑time phishing proxies, they are resistant to MFA fatigue and SIM‑swap attacks; they work well for kiosks or frontline staff.

Improve Credential Hygiene

  • Use strong, unique passwords and rotate them regularly – MFA bombing begins with credential theft. Studies show 3.8 billion credentials were leaked in the first half of 2025 and 81 % of breaches involve weak or stolen passwords. Fidelis advises using password managers to generate unique passwords and avoiding shared accounts.
  • Automatically rotate credentials – Xage recommends rotating login credentials to reduce the likelihood that valid credentials are available for sale on the dark web. The Verizon DBIR found that over 1,000 credentials go up for sale every day at an average price of $10.

Educate and Train Users

  • Security awareness training – Teach employees never to approve MFA prompts they did not initiate and to verify any IT support calls. Fidelis emphasises that user education is one of the most effective defenses. MITRE recommends instructing users to check the origin of login requests and report suspicious prompts.
  • Simulate MFA‑fatigue attacks – Security awareness platforms now include scenarios that simulate rapid MFA prompts and teach “deny and report” behavior. Hoxhunt’s 2025 playbook suggests keeping such simulations brief to avoid morale issues and pairing every simulated failure with an instant micro‑lesson.
  • User‑friendly reporting mechanisms – Make it easy for users to report suspicious MFA prompts or potential phishing attempts. Quick reporting shortens incident response time and reinforces good security habits.

Monitor and Respond

  • Detect abnormal authentication patterns – Implement logging and monitoring to identify multiple MFA requests in a short period, login attempts from unusual locations, or off‑hours activity. Behavioral analytics and AI threat detection can flag anomalous login behavior and session hijacking.
  • Enforce session timeouts and secure cookie attributes – To counter token theft, enforce shorter session lifetimes and mark cookies as HTTP‑only, Secure and SameSite.
  • Incident response procedures – When a user reports an MFA fatigue attack, instruct them not to approve requests and immediately reset passwords, revoke active sessions and re‑register MFA. Assume the attacker may have moved laterally and conduct a thorough investigation.

Pursue Zero‑Trust and Continuous Authentication

Experts emphasize that MFA should be part of a broader identity‑security strategy. Attackers increasingly bypass MFA altogether through session hijacking, AI deep‑fake impersonations and help‑desk attacks. SC Media recommends device‑based authentication, behavioral biometrics and continuous verification beyond the initial login. A zero‑trust approach treats all sessions as untrusted and continuously assesses risk, helping to prevent MFA bypass and reducing reliance on any single control.

Conclusion

MFA bombing illustrates how attackers weaponize human psychology rather than exploit technical flaws. By spamming users with authentication prompts and combining that bombardment with convincing social‑engineering, criminals can bypass MFA despite its proven benefits. The 2025 threat landscape underscores that layered defenses are essential: stolen credentials and session hijacking remain rampant, AI impersonation is surging, and legacy push‑based MFA is vulnerable.

Organizations can stay ahead of these threats by deploying phishing‑resistant MFA (hardware keys and passkeys), limiting and contextualizing push prompts, improving credential hygiene, training users, and monitoring authentication flows for anomalies. Ultimately, combating MFA bombing requires embracing zero‑trust principles and recognizing that security is both a technological and a human challenge. By making MFA smarter and more resilient, defenders can ensure that the added layer of authentication remains a shield rather than a weakness.

Dark Analytics delivers specialized cybersecurity solutions for healthcare. We partner with leading technologies to protect your medical data, ensuring compliance and security against evolving cyber threats.

info@darkanaltyics.com

Powered by Dark Analytics LLC