Instead of trying to break Multi-Factor Authentication, they are learning to work around it by targeting the person holding the phone. This tactic, known as MFA fatigue, is increasingly common across UK organisations of all sizes.
MFA Fatigue: The cyber attack that relies on frustration
Most businesses now have Multi Factor Authentication switched on across Microsoft 365, finance systems and remote access tools. It feels more secure. You enter your password, approve the sign in on your phone, and carry on knowing there is an extra layer protecting the business. The problem is that cyber attackers have changed tactics.
What is MFA fatigue?
MFA fatigue (or ‘prompt bombing’) usually starts when an attacker gets hold of a username and password, often through phishing, password reuse, or credentials exposed in a data breach. With those details, they attempt to log in to the account as normal.
Because Multi Factor Authentication is enabled, the system sends a push notification to the legitimate user asking them to approve the sign in. If the request is ignored or rejected, the attacker simply tries again. And then again.
Before long, the user’s phone is lighting up repeatedly with approval requests they did not trigger. The attacker isn’t trying to outsmart encryption or bypass complex controls. They’re relying on frustration and confusion. If enough prompts are sent, there is a real chance someone will tap approve just to make it stop, assuming it is a glitch or a delayed system notification.
At now the attacker is inside the account.
This is not hypothetical, high profile organisations like Uber and Microsoft included variations of this tactic. It works because it exploits normal human behaviour rather than technical weaknesses.
Why it works so well
Multi Factor Authentication is still one of the most important security controls any business can put in place. The National Cyber Security Centre continues to recommend it as a core defence against account compromise.
The issue is not MFA itself; it’s how simple some implementations can be. Traditional push approvals require only a single tap of Accept or Deny, making it quick and convenient during the working day. That simplicity is what makes them vulnerable to abuse.
When your phone is lighting up with repeated alerts, especially after hours when you’re busy or distracted, it’s easy to hit ‘Accept’ to make it stop. This is exactly what the attacker is hoping for. However, it’s important to stop and think, “Is someone trying to access my account?”
One approved request can open the door to email, files, Teams conversations and connected systems. From there, the damage can escalate quickly, whether that is invoice fraud, data theft or a ransomware incident.
How to recognise an MFA fatigue attack
Once you know what to look for, the signs are usually clear. You might be dealing with an MFA fatigue attempt if you suddenly receive a flurry of approval requests when you’re not opening an app, particularly if you receive several in a short period or at unusual times, such as late at night or at the weekend.
If you are not actively trying to log in, there is no legitimate reason to approve the request. That should always be treated as a red flag.
What to do if you get repeated unexcepted MFA requests
If unexpected MFA prompts start appearing, the response needs to be calm but immediate.
First, never approve a request you did not trigger yourself. Approval should only follow a login attempt you recognise and expect.
Second, let your IT support provider or internal IT team know straight away. Repeated prompts strongly suggest that your password has been compromised and that someone is actively trying to get in. The sooner this is investigated, the lower the risk of a wider incident.
Third, change the affected password without delay and make sure the new one is strong and unique. If the original password has been used elsewhere, those accounts should also be reviewed.
It is also worth looking at how your Multi Factor Authentication is configured. Tools such as Microsoft Authenticator now support number matching, where you must enter a number shown on the login screen rather than simply tapping approve. Number matching makes accidental approval far less likely. In higher risk environments, businesses should also consider stronger authentication methods and well-configured conditional access policies to reduce exposure further.
The bigger picture
MFA fatigue is a reminder of something important. Cyber security is not just about technology, it’s about behaviour.
Attackers understand how people think, how inconvenience leads to shortcuts, and that repetition creates complacency.
The businesses that can maintain cyber security don’t have the best tools, they also have:
- Clear user education
- Well-configured security policies
- Proactive monitoring
- A culture where reporting suspicious activity is encouraged
At Curveball, we see this firsthand. The difference between a near miss and a major breach is often a single decision.
If your team wouldn’t recognise MFA fatigue instantly, you have a training gap worth closing. If your Microsoft 365 environment has not been reviewed in the last twelve months, this should be reassessed to reduce risk.
If you would like us to review your current MFA configuration, conditional access policies, and wider cyber security posture, we are always happy to have a conversation.