MFA Prompt Bombing

May 26, 2026 Faeem BLOGS 0

Overview

Multi‑factor authentication (MFA) was designed to be the ultimate safeguard against credential theft — a second lock on the door. But attackers have learned that they don’t need to break that lock; they just need you to open it for them.

If your organization relies on push‑based MFA, this threat is already active in your environment. Known as MFA prompt bombing, it’s a social‑engineering technique that manipulates users into approving fraudulent login requests.

How MFA Prompt Bombing Works

The attack hinges on three simple ingredients:

  1. Valid credentials — often sourced from breached password dumps.
  2. Push‑based MFA portals — such as Microsoft 365, Okta, Duo, or VPNs.
  3. Human fatigue — the psychological pressure that leads users to approve repeated prompts.

Attackers trigger multiple MFA requests, sometimes pairing them with vishing calls pretending to be IT support. The goal is simple: wear down the target until they approve one. Once approved, the attacker gains legitimate access — and security systems rarely flag it because the login appears valid.

Real‑World Example: The Cisco Breach

In 2022, Cisco fell victim to this exact tactic. A threat actor linked to the Yanluowang ransomware group compromised an employee’s personal Google account, which synced stored credentials — including a Cisco VPN password.

Repeated MFA prompts failed at first, so the attacker escalated with vishing calls, posing as trusted support staff. Eventually, the employee approved a push notification, granting full VPN access.

From there, the attacker:

  • Enrolled their own devices for MFA persistence.
  • Escalated privileges to admin level.
  • Accessed Citrix servers and domain controllers.
  • Exfiltrated roughly 2.8 GB of data before detection.

Even a mature security program like Cisco’s wasn’t immune — proving how effective prompt bombing can be.

Why Push‑Based MFA Falls Short

Push notifications give users minimal context:

  • No clear origin of the login attempt.
  • No device or location details.
  • No indication of whether the user initiated it.

When prompts arrive repeatedly, users assume a system glitch — not an attack. Add a convincing phone call from “IT,” and the deception feels routine.

3 Ways to Prevent MFA Prompt Bombing

1. Adopt phishing‑resistant MFA

Replace push notifications with FIDO2 security keys, hardware tokens, or number‑matching codes. Tools like Specops Secure Access support fatigue‑resistant MFA across Windows logon, RDP, and VPN connections.

2. Block compromised passwords

Prompt bombing only works when attackers already have valid passwords. Continuous Active Directory scanning against breached password databases — using tools such as Specops Password Auditor — helps identify and reset compromised credentials before they’re exploited.

3. Add contextual risk signals

Implement conditional access policies that factor in location, device health, and login time. This ensures suspicious attempts are challenged or blocked before MFA prompts ever reach the user.

MFA Still Matters

Prompt bombing doesn’t mean MFA is broken — it means context matters. When approval requests lack meaningful detail, attackers can manipulate users into granting access.

If push notifications remain your default second factor, it’s time to evolve. Combine phishing‑resistant MFA, password breach monitoring, and risk‑based access controls to strengthen your identity perimeter.

Final Thought

MFA was never meant to rely on trust alone — it was meant to verify it. By modernizing your MFA strategy, you transform it from a reactive control into a resilient defense.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.