What is MFA fatigue phishing?

MFA fatigue, also called push-bomb or MFA-prompt-bombing, is an attack pattern in which the attacker, already holding the victim's username and password, repeatedly triggers MFA push notifications to the victim's device until the victim approves one out of frustration or by accident. The technique exploits simple push-style MFA that asks only Approve or Deny without requiring contextual information.

How much does an MFA-fatigue attack cost?

Average successful MFA-fatigue incident is $1.20M. The figure is dominated by the breadth of the post-compromise pivot, which is typically broader than other phishing variants because the attacker has fully-authenticated access to the corporate identity surface.

What happened in the Uber 2022 MFA-fatigue case?

In September 2022, an attacker (later attributed to a teenager affiliated with the Lapsus$ group) used credentials purchased on the underground market to log in as an Uber contractor, repeatedly triggered MFA push notifications until the contractor approved one, then pivoted across Uber's internal systems including the bug-bounty platform, internal Slack, and parts of the AWS console. Uber disclosed the incident publicly within hours.

Does number-matching MFA stop MFA fatigue?

Largely yes. Number-matching requires the victim to read a number displayed on the device requesting authentication and enter it on the MFA prompt. The attacker does not see the number, so cannot relay it. Microsoft Authenticator and most enterprise MFA platforms shipped number-matching as default through 2023-2024.

How fast was the Uber attack?

Approximately two hours from initial credential use to broad internal-system access. The push-bombing phase ran for over an hour before the contractor approved a request, then the lateral movement to internal systems took less than 30 minutes. The fast timeline is typical of MFA-fatigue pivots.

What is the difference between MFA fatigue and AitM?

MFA fatigue requires the attacker to already hold valid credentials; the push-bomb is the bypass step. AitM (adversary-in-the-middle) phishing harvests both the credential and the MFA token in real time from a lure-driven session. AitM is a fuller attack chain; MFA fatigue is a post-credential-theft technique.

Filing 02.07.00Field 27 APR 2026Classification PublicStatus Open

MFA fatigue: push-bombing as a phishing bypass technique

Average successful MFA-fatigue incident: $1.20M. The Uber September 2022 incident is the canonical reference. Number-matching has materially reduced the attack surface, but legacy push-only MFA deployments remain widely exploited.

Exhibit A

The attack pattern in one paragraph

MFA fatigue (also called push-bombing or MFA-prompt-bombing) is a phishing bypass technique that begins with the attacker already holding a valid username and password for the target. The attacker logs into the identity provider, which triggers a push notification to the victim's authenticator app asking Approve or Deny. The victim denies. The attacker logs in again. Another push. The victim denies again. The attacker logs in fifty more times across an hour, frequently in the middle of the night, until the victim either approves a prompt out of frustration, taps the wrong button on a phone they thought was locked, or assumes the prompts are a system glitch and approves to make them stop. The moment the victim taps Approve, the attacker is inside.

The technique exploits the structural weakness of simple push-style MFA, which presents the user with only two options (Approve or Deny) and provides no contextual information about who is requesting authentication or from where. The victim has no way to distinguish a legitimate prompt from an attacker-driven prompt. The defender response, well-established by mid-2023 and shipped as default in Microsoft Authenticator and most major MFA platforms by 2024, is number-matching: the prompt requires the victim to read a number from the device requesting authentication and enter it on the MFA prompt. The attacker, who is not co-located with the victim, cannot provide the correct number.[CISA MFA guidance 2023 + Microsoft Identity Threat Defense 2024]

Exhibit B

The Uber September 2022 case in full

CASE FILE

On 15 September 2022, an attacker affiliated with the Lapsus$ group used credentials purchased on the underground market to begin logging in as an Uber contractor. The contractor was, by attacker timeline, asleep or otherwise away from their phone when the push notifications began. Over the next hour the attacker repeatedly triggered the MFA push prompt. The contractor eventually approved a prompt, plausibly because the prompts were disruptive and the contractor assumed they were a system error rather than an attack.

The attacker, now inside as the contractor, found a PowerShell script on an internal network share containing hardcoded administrative credentials for Thycotic, Uber's privileged-access management platform. From Thycotic the attacker obtained credentials for AWS, GCP, GSuite admin, OneLogin, the Uber bug-bounty platform on HackerOne, and the internal Slack. The attacker then posted a message to a company-wide Slack channel announcing the breach, defaced the HackerOne bug-bounty platform, and posted screenshots of internal AWS and GCP consoles to public Twitter. The disclosure was unusually fast: Uber confirmed the breach publicly within hours of the Slack post.

The Uber case is canonical for two reasons. First, it demonstrated that the entire compromise traced to a single MFA push approval by a tired contractor; no zero-day, no novel malware, no advanced persistent threat. Second, it demonstrated the speed of post-compromise pivot when the initial foothold lands on a workforce identity with broad access. The two-hour timeline from contractor approval to public-Twitter disclosure remains the industry reference for how quickly an MFA-fatigue compromise can cascade. The remediation cost to Uber was not publicly itemised but is reliably estimated at high seven figures including IR engagement, credential reset across the affected services, post-event identity-architecture rework, and customer-trust restoration.[Uber public statement Sep 2022 + Lapsus$ attribution per multiple incident-response vendors]

Exhibit C

Cost-line build-up against the $1.20M figure

Cost line	Share of $1.20M	Dollar figure	Driver
Post-compromise pivot containment	38%	$456K	Breadth of identity surface accessible
Identity-architecture rework	16%	$192K	Number-matching rollout, push-only deprecation
Incident response + forensics	14%	$168K	Identity-platform log review, lateral-movement reconstruction
Credential-reset cycle (org-wide)	12%	$144K	Universal reset post-compromise standard practice
Notification + monitoring	10%	$120K	Where exfil scope triggered notification thresholds
Legal + class-action exposure	6%	$72K	Lower than wire-fraud variants
Awareness-training overhaul	4%	$48K	Push-bomb-specific user education

The identity-architecture rework line is unusually large for an MFA-fatigue event because the remediation is structural rather than tactical. Most organisations that experience a push-bomb compromise do not stop at credential-reset; they deprecate simple push-MFA across the workforce. The cost of that rework is a one-time spend that lands in the event-cost line.[IBM 2025 + identity-platform vendor remediation cost benchmarks 2023-2025]

Exhibit D

The control stack: number-matching, FIDO2, and just-in-time access

#1Number-matching MFA across the workforce

~95% of push-bomb attempts

Cost: $0 incremental on most platforms

Forces the user to read a number on the device requesting authentication and type it on the MFA prompt. Default in Microsoft Authenticator since 2023, Okta Verify since 2023, Duo Push since 2023. The single highest-leverage MFA-fatigue defence and effectively zero-cost on platforms where it ships.

#2FIDO2 hardware keys for privileged roles

~99% of push-bomb success for the role

Cost: $50 per user one-time

Hardware-key authentication eliminates the push-MFA attack surface entirely for the protected role. Use selectively (admins, finance, platform engineers, HR) where the per-user cost is justified by blast-radius reduction.

#3Just-in-time privileged access

~60% of post-compromise blast radius

Cost: 6-12 months of identity-platform work

Eliminates standing administrative access; admins request elevation via a workflow that triggers a separate, harder authentication and audit step. Reduces the value of any single compromised identity dramatically. The single highest-leverage architectural control.

#4Conditional-access geo and device anomaly checks

~40% of push-bomb success rate

Cost: Platform-dependent, typically existing-licence

Identity-platform conditional access can block or step up authentication when login attempts come from anomalous geographies or unmanaged devices. Catches the attacker login attempt before it triggers the push.

#5MFA-fatigue user-awareness training

~25% of approve-out-of-frustration rate

Cost: $2 to $5 per user per year incremental

Teaches users that unexpected MFA prompts mean someone is trying to log in as them. Useful, but lower-leverage than the technical controls because the structural weakness is in push-MFA design rather than user understanding.

#6Adaptive prompt rate-limiting on the identity provider

~50% of push-bomb attempt rate

Cost: Platform-dependent

Cap the number of MFA prompts a single user can receive in a defined window; subsequent attempts are blocked rather than forwarded. Available in Okta, Duo, and Microsoft Entra; not deployed by default.

Exhibit E

Why the contractor pivot is structurally expensive

Both Uber 2022 and Cisco August 2022 (another canonical MFA-fatigue case) involved compromise of contractor or outsourced-staff identities rather than direct-employee identities. The pattern is not coincidence. Contractor identities tend to have three structural disadvantages that make them attractive push-bomb targets: weaker MFA enforcement (because the contractor's home organisation rather than the customer organisation controls the MFA implementation), broader access scope (because contractors frequently support multiple internal systems and inherit broad role-based access for convenience), and less consistent training (because contractor onboarding is shorter and less awareness-focused than full-employee onboarding).

The implication for enterprise contractor management is that contractor identities should be treated as higher-risk than employee identities for MFA enforcement purposes, not lower-risk. The pragmatic policy is to require number-matching MFA or FIDO2 for any contractor with access to internal systems above a defined sensitivity tier, regardless of the contractor's home-organisation MFA posture. The compliance overhead is real but the alternative (Uber's outcome) is materially worse.[Uber Sep 2022 + Cisco Talos blog post Aug 2022]

Exhibit F

Frequently filed questions

ON RECORD

What is MFA fatigue?[open]

A phishing bypass in which the attacker, holding valid credentials, repeatedly triggers MFA push prompts until the victim approves one. Also called push-bombing or MFA prompt-bombing.

What does an MFA-fatigue attack cost?[open]

Average $1.20M per successful incident. Dominated by post-compromise pivot containment and the cost of the structural identity-architecture rework that typically follows.

Does number-matching MFA stop it?[open]

Largely yes. The user must read a number on the device requesting authentication and type it on the MFA prompt. Default in Microsoft Authenticator, Okta Verify, and Duo Push since 2023. Approximately 95% reduction in push-bomb success.

What was the Uber 2022 case?[open]

A Lapsus$-affiliated attacker push-bombed a contractor for over an hour, the contractor approved, the attacker reached Thycotic-stored credentials and pivoted to AWS, GCP, GSuite, OneLogin, and the bug-bounty platform within two hours of the initial approve.

Why are contractors hit harder than employees?[open]

Weaker MFA enforcement (contractor's home org controls it), broader access scope (contractors support multiple internal systems), shorter onboarding training. Treat contractors as higher-risk than employees, not lower-risk.

Should we deploy FIDO2 universally to eliminate this?[open]

FIDO2 for privileged roles is high-leverage. Universal FIDO2 deployment is expensive and creates onboarding friction. Number-matching at zero incremental cost solves 95% of the problem; FIDO2 for the remaining 5% of high-risk identities.

What is the relationship to AitM phishing?[open]

AitM is a fuller attack chain that harvests credentials and MFA tokens in real time. MFA fatigue is a post-credential-theft bypass technique. AitM defeats number-matching too; MFA fatigue does not.

Exhibit G