MFA Fatigue Attacks Are Bypassing Multi-Factor Authentication at Small Businesses – Here’s What the Data Shows

MFA fatigue attacks have become one of the most effective techniques in an attacker’s playbook – not because the technology failed, but because the employee at the other end of the push notification finally got tired of saying no. Incident data from 2024 and into 2025 shows a consistent pattern: attackers deliberately flood employees with repeated authentication approval requests until one exhausted, distracted, or half-awake person taps “approve.” The control that was supposed to protect your business becomes the door they walk through. If your organization has multi-factor authentication enabled and considers that box checked, this is the article that explains why the box may not mean what you think it does.

What Is an MFA Fatigue Attack?

Multi-factor authentication adds a second verification step beyond a password – typically a push notification sent to a registered mobile device. When the push arrives, the employee confirms they are the one signing in. The assumption built into that design is that a legitimate user will recognize an unexpected approval request as suspicious and deny it.

An MFA fatigue attack – also called push bombing or push notification bombing – exploits the gap between that assumption and human behavior under stress. The attacker already has the victim’s valid username and password, typically harvested through a data breach or phishing. They trigger an authentication session and send a push notification. The employee denies it. The attacker sends another. And another. And another – sometimes dozens over the course of minutes or hours, often in the middle of the night or during a high-stress workday.

At some point, the employee approves the request accidentally, approves it to make the notifications stop, or approves it because they assume IT must be behind it. At that moment, the attacker has full, authenticated access to the environment – with all the trust that multi-factor authentication was supposed to confer.

Why This Works: The Psychology Behind the Technique

The technique is effective precisely because it weaponizes a defense. Employees trained to use multi-factor authentication have internalized one instruction: approve the push when you are logging in. Attackers invert that training by manufacturing a scenario where approving feels like the right response.

Several psychological forces make MFA fatigue attacks work:

• Decision fatigue: After denying five or ten push notifications, the cognitive cost of evaluating each one climbs. Denial starts to feel like the repetitive, effortful choice – approval feels like relief.
• Social engineering as a follow-up: Attackers frequently call the target immediately after beginning the push flood, impersonating IT support and instructing the employee to approve the pending request to “resolve an issue.” This tactic was documented in the Uber breach and has appeared in dozens of incidents since.
• Misattribution of cause: Employees who have not been specifically trained on this technique often assume the notifications are a technical glitch rather than an attack. Approving seems like the fastest path to making the problem stop.
• Off-hours targeting: Attackers deliberately initiate these floods at 1 or 2 a.m. A half-awake person is far less likely to pause and question an unexpected approval request.

None of these failures are the employee’s fault. They are foreseeable outcomes of deploying a control without pairing it with detection, specific training, or a more resistant authentication method.

What 2024 and 2025 Breach Data Actually Shows

Push bombing is no longer novel or emerging – it is a documented, repeatable, and frequently successful attack pattern with a growing body of evidence behind it.

The FBI’s Internet Crime Complaint Center 2023 annual report (published in 2024) identified business email compromise and credential-based attacks as the leading category of financial loss, with losses exceeding $2.9 billion in that category alone. While the report does not isolate MFA fatigue as a standalone line item, incident responders consistently attribute credential-based intrusions to push bombing as the initial access method when multi-factor authentication was theoretically in place.

CISA’s guidance on phishing-resistant authentication, updated and reinforced through 2024, explicitly names push bombing as a known bypass technique for standard push-based authentication and recommends migration to phishing-resistant alternatives – such as FIDO2 hardware keys or certificate-based authentication – for high-value accounts.

Microsoft’s 2024 Digital Defense Report documented that the company blocks more than 600 million identity attacks per day and noted that password spray attacks followed by push bombing represent a growing share of attempts against business accounts. Microsoft’s data also showed that attackers are increasingly automating the push flood – meaning the volume and speed of notifications has accelerated beyond what most employees are trained to recognize.

Mandiant’s M-Trends 2024 report identified authentication bypass techniques including prompt bombing as a top-five initial access method across the incident response engagements they tracked. The dwell time for these intrusions – how long attackers remained inside an environment before detection – averaged weeks to months, suggesting the successful approval was often not caught until damage was already done.

Into 2025, the pattern has continued. Public breach disclosures from the healthcare, professional services, and financial sectors have repeatedly cited push notification manipulation as the initial access vector, even in organizations that believed they had strong authentication controls in place.

Why Small Businesses Are Disproportionately Exposed to MFA Fatigue Attacks

Large enterprises have security operations teams that monitor for impossible travel events, atypical login geographies, and unusual authentication bursts. When an employee in New Jersey starts receiving push notifications at 2 a.m. that appear to originate from an IP address in Eastern Europe, an alert fires and an analyst investigates.

Small businesses running standard Microsoft 365 or Google Workspace configurations typically have none of that detection in place. The push notification is sent. The employee approves it. The login succeeds. The system records it as authenticated access. No alarm sounds.

Several conditions common at smaller organizations compound the exposure:

• Default authentication configurations: Push-to-approve is the default in most platforms – easiest to set up, and the most vulnerable to MFA fatigue attacks. Small IT teams often deploy the default and move on.
• No authentication log review: Even when logs exist, small organizations rarely have the staff or tooling to review them for anomalies in real time.
• Number matching not enabled: Microsoft introduced number matching as a mitigation – the push notification displays a number, and the employee must enter it in the authenticator app rather than simply tapping approve. Many smaller tenants have not configured this, leaving the simple approve/deny prompt active.
• High employee trust in IT notifications: In small teams, employees have personal relationships with IT staff and are predisposed to trust that a push notification is legitimate – especially when followed by a phone call from someone who sounds helpful and knowledgeable.
• No specific awareness training: Enterprise employees often receive annual training on social engineering. Many small business employees have never been told what push bombing is, let alone trained to recognize it as an attack.

Documented Examples from Public Disclosures

The Uber breach in September 2022 is the most widely cited public example of an MFA fatigue attack executed at scale. The attacker – later identified as a member of the Lapsus$ group – purchased Uber credentials on the dark web, then bombarded a contractor with push notifications for over an hour. When the contractor did not approve, the attacker contacted them via WhatsApp, claimed to be from Uber IT, and instructed them to approve the pending request to “resolve an issue.” They did. The attacker then had access to Uber’s internal systems, including its vulnerability scanning infrastructure and internal communication tools.

Cisco disclosed a similar intrusion in August 2022. The attacker gained access to a Cisco employee’s personal Google account, extracted saved credentials, then used voice phishing combined with push flooding to get the employee to approve the authentication. Cisco confirmed the technique explicitly in its public disclosure and noted that the attacker made multiple attempts before succeeding.

While large enterprises generate the headlines, the same technique runs against smaller organizations daily – they simply lack the disclosure obligations that force public reporting. Security researchers at Proofpoint documented in 2024 that authentication bypass attacks against Microsoft 365 tenants – the platform most commonly used by small and mid-size businesses – numbered in the hundreds of thousands monthly. The vast majority of those organizations had ten to two hundred fifty employees.

A professional services firm in the mid-Atlantic region (disclosed without naming) reported in a 2024 legal filing that an attacker gained access to its Microsoft 365 environment through exactly this sequence: credential acquisition, push flooding at 3 a.m., and social engineering via a follow-up call. The breach resulted in the exfiltration of client contract data and a subsequent ransomware deployment. The firm had multi-factor authentication enabled. Their insurer initially disputed the claim on the basis that a control was bypassed by the policyholder’s own employee action – a dispute pattern that is becoming more common in cyber insurance cases.

Building a Defense Posture That Holds Against MFA Fatigue Attacks

The answer to MFA fatigue attacks is not disabling multi-factor authentication – that trades a difficult problem for a catastrophic one. The answer is upgrading to authentication methods that are not vulnerable to this technique in the first place, and layering detection around the methods that remain.

Migrate high-value accounts to phishing-resistant authentication. FIDO2-compliant hardware security keys (such as YubiKeys) and Windows Hello for Business are not susceptible to push bombing because there is no push notification to approve. Authentication is tied to a physical device and a biometric or PIN – neither of which can be socially engineered over a phone call. CISA explicitly recommends this migration for privileged accounts, and the logic applies equally to any account with access to sensitive data or financial systems.

Enable number matching on all push-based configurations. If migration to phishing-resistant authentication is not immediate, number matching is the highest-impact near-term mitigation. Microsoft has made this the default in newer tenants, but it must be verified and enforced in existing configurations. This does not eliminate MFA fatigue attacks, but it forces the attacker to relay a number to the victim in real time – which requires active social engineering rather than passive approval.

Configure risk-based access policies. Identity platforms such as Microsoft Entra ID allow administrators to require additional verification based on risk signals – login from a new geography, unusual time of day, or an unfamiliar device. These policies do not prevent a push from being sent, but they raise the cost and complexity of completing an attack.

Deploy sign-in anomaly detection and alerting. The authentication log is the most important data source for catching this attack before it succeeds – or immediately after. Alerting on authentication failures above a threshold (five denied push notifications in ten minutes, for example), logins from unexpected geographies, or authentication at unusual hours is not technically complex. It is operationally ignored far more often than it is unavailable. See our overview of cybersecurity services for how this kind of detection integrates into a managed security program.

Train employees specifically on push bombing. General phishing awareness training does not cover MFA fatigue attacks. Employees need to be told – explicitly, with examples – that receiving push notifications they did not initiate is a sign of an active attack. The correct response: deny every notification and immediately call IT using a phone number they already know, not one provided by whoever is calling them.

Establish a clear “IT will never ask you to approve a push you did not initiate” policy. This is the single most effective behavioral control. Legitimate IT operations do not require employees to approve an authentication push they did not trigger. Codifying and repeating this policy removes the social engineering foothold that makes MFA fatigue attacks so successful.

What to Ask Your IT Firm Right Now

If multi-factor authentication is deployed and you feel protected, the questions below will tell you quickly whether that protection is real or theoretical. Use this as your MFA fatigue attacks readiness checklist.

• Are any of our administrator or financial system accounts using push-to-approve authentication rather than a phishing-resistant method?
• Is number matching enabled and enforced across our entire Microsoft 365 or Google Workspace tenant – and has that been verified in the last ninety days?
• Do we have alerting configured that would notify someone if an employee received more than three or four denied push notifications in a short window?
• Have our employees ever received specific training on push notification bombing – separate from general phishing awareness?
• Do we have risk-based access policies that evaluate login signals before permitting authentication to complete?
• What would happen if an attacker obtained a valid employee password and our employee approved a fraudulent push at 2 a.m.? Walk me through the detection and response sequence.

If the answers are uncertain, incomplete, or uncomfortable, that is the finding. Authentication controls that cannot hold up under those questions are not functioning as a defense – they are functioning as a confidence-building measure that a motivated attacker will dismantle in under an hour.

The uncomfortable truth about MFA fatigue attacks is that they work because organizations treated authentication as a checkbox rather than a system. MFA got enabled, the box got checked, and nobody asked whether the method chosen could withstand an adversary who had already done their homework. The organizations holding the line are the ones that asked the harder questions before the attacker did. If you are ready to move from theoretical to operational protection, our managed IT services team can review your current authentication posture and close the gaps before they become incidents. Book a Free Cybersecurity Strategy Call to start that conversation.