MFA Prompt Bombing: Why Your Second Factor Isn't Saving You

MFA Prompt Bombing: Why Your Second Factor Isn't Saving You

Multi-factor authentication (MFA) was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn't log in without the second factor. While that logic was sound, attackers have now figured out that they don't need to steal the second factor: they just need the user to hand it over. If your workforce authenticates with push-based MFA, this attack is a live threat to your organization today. Tools like Specops Secure Access are built specifically to close that gap, but before getting into the fix, it's worth understanding how this technique works.

How MFA prompt bombing works

Attackers repeatedly trigger the prompt, attempting to trick the target or wear them down to approve the request. Sometimes, attackers will pair prompt bombing with a vishing call pretending to be from IT, where they will try to socially engineer the target. The danger is that these methods only need to work once. If the prompt is approved, the attacker is logged in as that user. Security systems typically won't be alerted, as the login looks entirely legitimate.

The Cisco breach

The 2022 Cisco breach is a key example of how effective this technique is against even mature security programs. An attacker linked to the Yanluowang ransomware group compromised a Cisco employee's personal Google account, which was syncing browser-stored credentials, including the employee's Cisco VPN password. From there, the attacker pushed MFA prompts to the employee's phone. That initially didn't work, so they began using vishing calls posing as trusted support organizations, speaking in various accents, and eventually convincing the employee to accept a push notification. Once accepted, the attacker had VPN access as the employee. They then enrolled their own devices for MFA to maintain persistence, escalated to administrative privileges, reached Citrix servers and domain controllers, and exfiltrated around 2.8GB of data before being evicted. The fact that prompt bombing worked against a company like Cisco, which is far from having a weak security posture, highlights just how dangerous and effective the attack has become.

NCSOC’s 2026 threat monitoring identified MFA Prompt Bombing (also known as MFA Fatigue) as a growing social engineering technique used to bypass traditional multi-factor authentication controls. Attackers leverage stolen credentials to generate repeated authentication requests, exploiting user frustration or inattentiveness until access is approved. Organizations should strengthen defenses through phishing-resistant MFA, number matching, adaptive authentication controls, continuous security awareness training, and proactive monitoring of anomalous authentication activities to reduce the risk of account compromise.

- National Cyber Security Operations Center (NCSOC)

Why push MFA doesn't eliminate risk

The issue with push-based MFA is that users are asked to approve or deny a login with very little to go on. There's no clear indication of where the request originated, what device is being used, or whether the login attempt was initiated by the user at all. In isolation, that might be manageable. But when prompts start arriving repeatedly, it's easy to assume something's misfiring rather than recognizing it as a potential attack. If that's paired with a well-timed phone call from someone posing as IT support, the situation becomes even harder to assess. At that point, the user isn't acting carelessly, but responding to a scenario designed to feel routine and legitimate, using credentials the attacker already has.

Conclusion

MFA prompt bombing isn't a reason to move away from MFA, but it does highlight where some factors fall short. When approval requests can be triggered repeatedly with no meaningful context, the control becomes easier to influence than intended. If push is still your default second factor, it's worth revisiting that decision. Number matching or phishing-resistant methods strengthen the MFA method itself, while scanning for compromised passwords limits the risk of attackers possessing the first authentication step. If you're looking to evolve your identity security with more robust MFA.

Share This Article

Categories