MFA Bombing: Understanding Fatigue and Push Flooding Attacks in Modern Cybersecurity

πŸ”₯ Real-World Incident: The Uber MFA Fatigue Attack

In September 2022, Uber suffered a high-profile breach that shook the cybersecurity world. Attackers gained internal access, not by exploiting unpatched vulnerabilities or advanced malware, but through a method called MFA bombing—also known as MFA fatigue or Push Flooding. The attacker spammed a contractor’s phone with push authentication requests until, out of annoyance or confusion, the user ultimately hit "Approve"—granting the hacker entry.

This attack bypassed one of security’s strongest shields: Multi-Factor Authentication. Let’s break down how it happened, why it worked, and how you can stop similar threats in your environment.

πŸ”¬ What is MFA Bombing (Fatigue)?

MFA bombing is a type of social engineering attack that overwhelms users with endless MFA approval prompts—often via push notifications, but sometimes through SMS or phone calls. The primary aim? User exhaustion and, ultimately, accidental or frustrated approval. Attackers hope victims will click "Approve" out of confusion or fatigue, unwittingly granting access to sensitive systems.

  • πŸ‘† Push Bombing: Flooding push notification requests to an authentication app.
  • πŸ“ž Voice or SMS Bombing: Spamming users with phone calls or SMS authentication requests.
  • 😫 Fatigue Attacks: Wearing down the user’s vigilance to get a single, crucial approval.

🧠 Attack Flow: How MFA Bombing Works

Attackers must first obtain a user’s login credentials—typically through phishing, credential stuffing, or a previous breach. With valid credentials, the attacker initiates login attempts at an aggressive rate, triggering a wave of MFA prompts:

  • 🎣 Credential Harvesting: Steal user credentials via phishing or dark web marketplaces.
  • πŸ“² Flood Authentication: Exploit MFA push features to send constant approval notifications.
  • πŸŒ™ Target Off-Hours: Attack during late or early hours, making users less alert.
  • 😩 Wear Down Victims: Continue until the user succumbs, mistakenly hitting "Approve."

In Uber’s case, attackers added a direct twist—they messaged the target via WhatsApp (posing as IT support) and instructed them to approve the MFA prompt for a "company system test." This blend of technical and social attack vectors increases the odds of success.

πŸͺ“ Root Cause: Human Factor Weakness

The technical root cause behind MFA bombing is simple: MFA systems that allow for unlimited push approvals—without further verification or behavioral analysis—are vulnerable to spam. Attackers exploit the human habit of clicking through notifications mindlessly, especially when bombarded at inconvenient times.

  • πŸ” Unlimited Prompts: Systems lacking rate limits on MFA requests are most prone.
  • 😰 User Fatigue: People make mistakes when pushed to frustration or confusion.
  • πŸ‘Ύ Lack of User Awareness: Many users still don’t recognize that an MFA prompt should never be approved unless they initiated it.

πŸ’‘ Technical Explanation: Why MFA Bombing Succeeds

MFA push works by sending a notification to a device. The assumption: if it’s you, you’ll recognize and approve. However, these systems often:

  • ⚠️ Lack Context: Users see "Approve sign-in?" but get no source info, IP, or geography.
  • πŸ›‘ Don’t Limit Attempts: No threshold for failed or repeated requests from the same user.
  • πŸ“ˆ Ignore Behavioral Red Flags: No pause or alert if dozens of approvals are requested within minutes.

This design flaw gives adversaries the upper hand, especially when combined with spearphishing tactics. According to Microsoft, more than 20% of social engineering attacks in 2021 leveraged MFA bypass techniques—many using push fatigue.

πŸ“Š MFA Bombing: Security Stats & Industry Trends

  • πŸ”’ 30% of organizations now report at least one MFA fatigue attempt each quarter (source: Mandiant, 2023).
  • πŸ“ˆ 50% of successful breaches involving MFA bypass used social engineering and push-bombing (Verizon DBIR, 2023).
  • Night-time Attacks: Most push bombing incidents occur at night, when vigilance is lowest (CrowdStrike Labs).
  • πŸ’Ό Targeted Sectors: Attackers prefer tech, finance, and healthcare firms—high-value, with many privileged accounts.

Security experts now list "poor MFA implementation"—especially default-allow, push-only policies—as among today’s riskiest missteps.

πŸ™…‍♂️ Real Attacker Techniques: Beyond Basic Bombing

  • πŸ“¬ Spearphishing Follow-Ups: Attackers use WhatsApp, SMS, or email after push spamming, impersonating IT to "help" users approve logins (like Uber’s breach).
  • πŸ›‘️ Proxying/Spoofing: Adversaries use reverse proxies (EvilProxy, Modlishka) to capture tokens and fool two-factor systems.
  • πŸ•΅️‍♂️ SIM-Swapping: For SMS-based 2FA, attackers hijack the victim’s phone number to accept prompts themselves.
  • 🧩 Chained Attacks: Combine MFA bombing with password spraying, credential stuffing, and phishing—raising user stress to maximize odds of success.

Attackers constantly evolve techniques, emphasizing the need for layered security—not just relying on MFA alone.

πŸ›‘️ Prevention Strategies to Defeat MFA Bombing

  • Limit Prompt Requests: Set policy to restrict MFA push attempts—lock account or require extra verification after 3-5 failed or ignored prompts.
  • 🧠 User Training: Educate employees to treat EVERY unexpected MFA prompt as a potential attack. Train regularly on reporting suspicious activity.
  • πŸ” Contextual MFA: Use authentication that displays info like IP, app used, or location. Geo warnings prompt users to deny requests not from their location.
  • πŸ”΄ Number Matching: Require users to enter a code displayed on their login screen, not just press "Approve." This foils mass push spamming.
  • 🚫 Disable Push Where Possible: Prefer physical security keys (like Yubikeys) or app-based OTPs over push notifications alone.
  • 🧐 Monitor Authentication Logs: Flag or alert on unusual numbers of MFA attempts or approvals, especially off-hours or from new locations/devices.
  • πŸ”’ Zero Trust: Restrict lateral movement post-authentication through segmentation, privilege management, and continuous verification.

Combining these tactics drastically lowers your risk of succumbing to an MFA bombing incident.

πŸ“ Codesecure MFA Bombing Checklist

  • πŸ›‘️ Review Your MFA Policies: Are you allowing unlimited pushes? If so, set limits and enable MFA challenge features like number matching.
  • πŸ‘¨‍🏫 Conduct Social Engineering Drills: Simulate push fatigue attacks and see how your users respond.
  • πŸ“Š Log Analysis: Audit logs for abnormal access patterns and repeated MFA requests.
  • πŸ“š User Awareness Program: Refresh employees regularly on what to do with unexpected prompts.

πŸ› ️ Codesecure: Protecting You From Modern MFA Threats

At Codesecure, our experts help organizations harden their authentication against the latest social engineering attacks, including MFA bombing and push flooding. We perform penetration testing, simulate real-world attack scenarios, and provide end-to-end MFA security reviews. Don’t let a simple misclick become your next breach headline.

  • πŸ“ž Contact us: +91 7358463582
  • πŸ“§ Email: osint@codesecure.in
  • 🌐 Website: www.codesecure.in

Stay secure, stay vigilant!

Popular posts from this blog

AI-Powered Cyberattacks in 2025: Threats, Real Cases & Codesecure’s Defense Guide

🧠 AI-Powered Cyberattacks in 2025: Threats, Real Cases & Codesecure’s Defense Guide Artificial Intelligence (AI) is transforming the cyber threat landscape. In 2025, organizations are under increasing pressure to defend against AI-powered threats that evolve faster than traditional detection systems can keep up. From AI phishing scams to deepfake cyberattacks , the weaponization of machine learning is reshaping how attackers operate. At Codesecure , we’ve observed a dramatic rise in cyberattacks involving AI in cybersecurity — particularly in spear phishing, malware mutation, and impersonation techniques. These machine-driven campaigns can bypass filters, mimic user behavior, and execute zero-day exploits more efficiently than ever before. πŸ€– From Tool to Threat: How AI Evolved into a Weapon AI was once hailed purely as a force for good — a tool to enhance decision-making, automate tasks, and solve complex problems. But like all tools, it depends on how it's use...
Read more

Ransomware-as-a-Service (RaaS) Expansion in 2025: A Growing Threat to Every Business

πŸ’£ Ransomware-as-a-Service (RaaS) Expansion in 2025: A Growing Threat to Every Business In 2025, Ransomware-as-a-Service (RaaS) has become one of the most profitable and dangerous segments of the cybercrime economy. Unlike traditional ransomware operations, RaaS allows even non-technical criminals to launch devastating attacks by simply subscribing to malware platforms operated by professional developers. At Codesecure , we've seen first-hand how this model has enabled a massive spike in ransomware attacks across industries — from healthcare and finance to logistics and retail. The barrier to entry for cyber extortion is now lower than ever, and the consequences are more severe. πŸ§ͺ How RaaS Works RaaS operates just like a business — complete with subscription models, affiliate programs, customer support, and even performance analytics for attackers. Here’s how it typically functions: 🎯 Developers create and maintain the ransomware platform (builder, payloads, C2 ...
Read more

Insider Threats with Generative AI Tools: The Next Security Frontier

πŸ“š Real-World Case Study: Insider Data Leakage via Generative AI In 2023, a high-profile automobile manufacturer faced a severe insider data leak. An employee, overwhelmed with workload, used a generative AI tool like ChatGPT to help draft technical documentation. The employee inadvertently pasted confidential source code and architectural diagrams into the AI tool’s input, violating company policy. Days later, security researchers discovered that the AI vendor stored query logs for training purposes. Sensitive designs, including new vehicle software features, were embedded in AI training data—potentially accessible to others through AI-generated outputs. The breach led to a massive internal investigation, regulatory scrutiny, and loss of competitive advantage. 🚨 Incident: Insider leaked proprietary code via AI tool. πŸ•΅️ Discovery: Sensitive data appeared in AI training sets and AI-generated results. πŸ’₯ Impact: Corporate strategy compromised, public trust damaged, regul...
Read more