MFA Fatigue (Push Bombing)
What is MFA Fatigue (Push Bombing)?
MFA Fatigue (Push Bombing)Attack in which an adversary with a valid password floods the victim with MFA push prompts until the user approves one out of confusion or annoyance.
MFA fatigue, also called push bombing, exploits push-based multi-factor authentication. After obtaining a valid password through phishing or credential stuffing, the attacker repeatedly initiates logins, triggering a stream of mobile push approvals on the victim's phone. Eventually the user taps Approve to make the noise stop, or believes the prompt is legitimate. Notable incidents include the 2022 Uber breach and the 2022 Cisco intrusion, both linked to Lapsus$ and EXOTIC LILY tradecraft. Mitigations include number matching, push verification with context, rate limiting prompts, blocking after repeated denials, and migrating to phishing-resistant FIDO2 or passkeys.
● Examples
- 01
Uber 2022: an EXT contractor approved a push notification after dozens of attempts, granting initial access.
- 02
Cisco 2022: attackers used vishing plus push bombing to bypass MFA on a corporate VPN.
● Frequently asked questions
What is MFA Fatigue (Push Bombing)?
Attack in which an adversary with a valid password floods the victim with MFA push prompts until the user approves one out of confusion or annoyance. It belongs to the Identity & Access category of cybersecurity.
What does MFA Fatigue (Push Bombing) mean?
Attack in which an adversary with a valid password floods the victim with MFA push prompts until the user approves one out of confusion or annoyance.
How does MFA Fatigue (Push Bombing) work?
MFA fatigue, also called push bombing, exploits push-based multi-factor authentication. After obtaining a valid password through phishing or credential stuffing, the attacker repeatedly initiates logins, triggering a stream of mobile push approvals on the victim's phone. Eventually the user taps Approve to make the noise stop, or believes the prompt is legitimate. Notable incidents include the 2022 Uber breach and the 2022 Cisco intrusion, both linked to Lapsus$ and EXOTIC LILY tradecraft. Mitigations include number matching, push verification with context, rate limiting prompts, blocking after repeated denials, and migrating to phishing-resistant FIDO2 or passkeys.
How do you defend against MFA Fatigue (Push Bombing)?
Defences for MFA Fatigue (Push Bombing) typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- identity-access№ 708
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent factors — typically from different categories — before granting access.
- identity-access№ 883
Push Authentication
An MFA method in which the identity provider sends a sign-in request to a trusted mobile app, which the user approves or denies with a tap.
- identity-access№ 414
FIDO2
An open authentication standard from the FIDO Alliance combining WebAuthn (browser API) and CTAP (authenticator protocol) to enable phishing-resistant, passwordless sign-in.
- identity-access№ 793
Passkey
A phishing-resistant FIDO2/WebAuthn credential — a device-bound or syncable asymmetric key pair that replaces passwords with a cryptographic challenge-response.
- attacks№ 1065
Social Engineering
The psychological manipulation of people into performing actions or disclosing confidential information that benefits an attacker.
- attacks№ 232
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.