MFA Prompt Bombing: Why Your Second Factor Isn’t Saving You
MFA prompt bombing floods users with push notifications until they accidentally approve one — and it’s bypassing even mature MFA deployments. Here’s how to close the gap.
What’s new: Attackers are increasingly exploiting push-based multi-factor authentication (MFA) through a technique called prompt bombing — flooding users with repeated approval requests until fatigue causes them to accept one. The technique was used in the high-profile 2022 Cisco breach, where an attacker convinced an employee to approve a push notification, gaining access to sensitive internal systems. As AI accelerates credential stuffing and targeted phishing, prompt bombing is becoming a go-to tactic for bypassing even MFA-hardened environments.
Who’s affected
Any organisation relying on push-based MFA — including Microsoft 365, Okta, Duo, and VPN solutions — is at risk. The attack requires only valid credentials (often obtained via phishing or credential dumps), making it effective even against security-mature environments.
What to do
- Replace push-based MFA with phishing-resistant factors such as FIDO2 hardware security keys or number-matching codes, which cannot be bombed.
- Continuously scan Active Directory for compromised passwords and force resets — removing valid credentials eliminates the precondition for prompt bombing.
- Introduce conditional access policies that evaluate risk signals (location, device posture, login velocity) before sending MFA prompts, blocking suspicious attempts earlier in the chain.
