Multi-factor authentication (MFA) was designed to stop attackers logging in with stolen passwords alone. But attackers have adapted. Instead of stealing the second factor, they pressure users into approving it themselves.
If your organisation relies on push-based MFA, this is already a real risk.
How MFA prompt spamming works
The attack is simple. An attacker needs:
- Valid login credentials, often bought from leaked password databases
- A service using push-based MFA, such as Microsoft 365, Okta, Duo or a VPN
- A user receiving repeated login prompts
Attackers repeatedly trigger MFA notifications until the user approves one, either by mistake or frustration. In some cases, they combine this with a phone call pretending to be IT support to make the request seem legitimate.
Once approved, the attacker gains access using what appears to be a normal login, often without triggering security alerts.
The Cisco example
The 2022 Cisco breach showed how effective this tactic can be. Attackers gained access to an employee’s VPN credentials from a compromised personal Google account. They then repeatedly sent MFA prompts and followed up with fake support calls until the employee accepted one.
That single approval gave the attacker VPN access. They later added their own MFA devices, escalated privileges and stole around 2.8GB of data before being removed.
The incident proved that even organisations with mature security programmes are vulnerable to MFA fatigue attacks.
Why push MFA falls short
Push notifications rely heavily on user judgement. Most prompts give little information about where the request came from or whether it’s genuine.
When notifications appear repeatedly, users may assume there’s a technical issue rather than an attack. Add a convincing phone call from someone posing as support staff and the situation becomes much harder to spot.
How organisations can reduce the risk
IT Security Operations – Use phishing-resistant MFA
Push notifications are one of the weakest MFA methods. More secure options include FIDO2 security keys, hardware tokens and number-matching authentication apps, which are far harder to abuse.
Strengthened IT Policy – Block compromised passwords
Prompt spamming only works if attackers already have a valid password. Regularly scanning Azure Entra ID, Legacy Active Directory & Authentication manager entries & hashes for breached or reused passwords and forcing resets removes that attack starting point.
IT Admin Accesses – Add context to logins
Conditional access policies can assess factors like location, device health and login time before sending an MFA request. This helps stop suspicious logins before users are asked to approve anything.
MFA still matters
Prompt spamming isn’t a reason to abandon MFA, but it does expose the weaknesses of push-only authentication.
If push notifications are still your default second factor, it may be time to reconsider. Stronger MFA methods combined with compromised password protection provide a far more resilient defence against account takeover.
Contact CISR to review your authentication and identity management security today.
