This site uses cookies for analytics and to improve your experience. By clicking Accept, you consent to our use of cookies.

What is MFA fatigue? MFA Push Fatigue Attacks Explained

MFA Fatigue Explained in Plain English

MFA fatigue also known as a push fatigue attack is when a criminal bombards a user with multi‑factor authentication (MFA) prompts, typically “Approve sign-in?” notifications, until the user accepts one out of frustration, confusion or by mistake.

That single approval can be enough to give the attacker access to email, files and business systems.

Why Attackers Use MFA Fatigue and Why it Works

MFA is designed to stop someone logging in with a stolen password. MFA fatigue attacks try to bypass that protection by targeting the person, not the technology.

If a user is repeatedly interrupted by prompts, especially outside working hours, they may click “Approve” just to make the notifications stop.

It tends to work best where push MFA is used without extra checks (such as number matching), where sign‑in prompts are common, and where staff aren’t sure what to do when an unexpected MFA request appears. In other words, the attacker is hoping the prompt looks “normal enough” to be accepted.

How an MFA Fatigue Attack Typically Unfolds

  1. The attacker obtains a username and password (commonly via phishing, password reuse from a breach, or malware).
  2. They attempt to sign in to the account (for example, Microsoft 365), which triggers an MFA prompt on the user’s phone.
  3. They repeat the sign‑in attempt over and over, generating a flood of prompts.
  4. The user eventually taps “Approve” (sometimes thinking they’re fixing a problem or stopping a glitch).
  5. The attacker gains access and may try to escalate privileges, create mailbox rules, register additional MFA methods, or consent to malicious apps to maintain access.

Why it Matters for SMEs

For many small and medium-sized businesses, a single Microsoft 365 account can be the front door to email, Teams, SharePoint and OneDrive. If an attacker gets in, the fallout can be immediate—financial loss, operational disruption, and reputational damage.

  • Business email compromise (BEC): invoice fraud, payment diversion, or supplier impersonation.
  • Data exposure: access to sensitive emails, documents and shared files.
  • Internal phishing: sending convincing messages from a real account to colleagues and customers.
  • Service disruption: account lockouts, lost access, and time spent investigating and recovering.
  • Compliance and assurance issues: difficulty meeting requirements such as Cyber Essentials if identity controls are weak.

Warning Signs of MFA Fatigue to Look Out For

  • Repeated MFA prompts you did not initiate.
  • A prompt arriving at unusual times (overnight, weekends) or while you are not signing in.
  • Security alerts about sign‑ins from unfamiliar locations, devices or IP addresses.
  • Unexpected password reset emails or messages about new sign‑in activity.
  • Colleagues receiving odd emails or Teams messages “from you”.

How to Prevent MFA Fatigue Attacks

Prevention is a mix of better MFA choices, tighter sign‑in controls and clear user guidance. The goal is to reduce “background noise” prompts and make it harder for an attacker to turn one tap into a compromise.

  • Enable number matching (or similar) for push notifications so users must confirm a code shown on screen, not just tap approve.
  • Use phishing‑resistant MFA for privileged accounts (for example, security keys/passkeys) and keep admin accounts separate from day‑to‑day email accounts.
  • Reduce unnecessary prompts by using sensible sign‑in policies (for example, only prompting when risk is higher, such as new device/location).
  • Block legacy authentication and review third‑party app access so attackers have fewer routes into the tenant.
  • Train staff on the rule: if you did not start a sign‑in, always press Deny and report it.
  • Monitor and alert on unusual sign‑in patterns (impossible travel, repeated failures, unfamiliar devices) and investigate quickly.

What to Do if You are Getting Unexpected MFA Prompts

  1. Do not approve any prompt you didn’t initiate. Tap Deny.
  2. Report it immediately to your IT support/security contact (treat it like a potential compromise).
  3. Change your password (ideally from a trusted device) and ensure it is unique and strong.
  4. Check your account security settings for new sign‑in methods, devices or app consents you don’t recognise.
  5. Review for attacker behaviour such as new mailbox rules, forwarding, suspicious sent items and unusual logins.

A Simple Staff Rule you can Publish

If you did not just try to sign in, do not approve the MFA prompt. Press Deny and report it straight away. Unexpected MFA prompts are a warning sign that your password may have been captured.

Used well, MFA is still one of the most effective controls for SMEs. The key is to configure it in a way that’s hard to trick (for example, number matching or phishing‑resistant methods), and to make sure your team knows that “Approve” is a security decision, not a nuisance notification.


If you’re not sure whether your MFA setup is vulnerable to push fatigue, start with a quick review:

  1. turn on number matching (or move key accounts to phishing resistant methods),
  2. check who has admin rights,
  3. tighten sign in rules so prompts only appear when they should.

If you’d like a second pair of eyes, get in touch with us at Speedster IT for an identity and Microsoft 365 security health check.   0204 511 9111