Multi-factor authentication (MFA) was designed to plug a major hole in identity protection. The idea was simple: even if a hacker obtained login credentials, they still couldn’t get in without the second verification step. While this concept made perfect sense, cybercriminals have since found a clever workaround — they no longer need to steal that second factor; they just trick the user into providing it themselves.
If your team relies on push-based MFA, this type of attack poses a real and immediate risk to your business. Solutions like Specops Secure Access were created specifically to address this vulnerability, but before diving into the remedy, it helps to understand exactly how this method operates.
How MFA prompt bombing works
For this attack to succeed, three components must line up:
- Working account credentials, typically harvested from password leaks circulating on the dark web
- Single Sign-On (SSO) platforms that rely on push-based MFA (examples include VPNs, Microsoft 365, Okta, and Duo)
- An end-user who receives an alert each time the attacker initiates a login attempt
Attackers keep firing off authentication requests, hoping the target will eventually get confused, frustrated, or negligent enough to approve one. In some cases, they combine the flood of prompts with a vishing (voice phishing) call impersonating IT support, applying social engineering pressure. The scary part is that these tactics only need to succeed once.
The moment the victim approves the request, the attacker gains full access as that user. Since the login appears completely normal, security monitoring tools typically raise no alarms.
The Cisco breach
The 2022 Cisco breach stands out as a textbook case demonstrating just how effective this method can be, even against well-established security infrastructures. A threat actor tied to the Yanluowang ransomware group breached a Cisco employee’s personal Google account, which had been synchronizing browser-saved credentials — including the employee’s Cisco VPN password.
With the credential in hand, the attacker began bombarding the employee’s phone with MFA prompts. When that didn’t immediately work, they switched tactics: they started making phone calls pretending to represent well-known support teams, using various accents, until the employee finally accepted a push notification.
Once inside, the attacker registered their own device for MFA to maintain persistent access, escalated privileges to administrator level, reached Citrix servers and domain controllers, and ultimately exfiltrated approximately 2.8GB of data before being removed. The fact that MFA prompt bombing succeeded against an organization like Cisco — hardly a company with lax security — underscores just how dangerous and effective this attack has become.
Why push MFA falls short
The core weakness of push-based MFA is that users are asked to approve or reject a login request with almost no useful information. There’s no clear indication of where the request is coming from, which device initiated it, or whether the person being prompted actually started the login. On its own, that might seem manageable. But when prompts start arriving in rapid succession, many users assume it’s a technical glitch rather than recognizing it as an active cyberattack.
Add a perfectly timed phone call from someone pretending to be IT support, and the confusion multiplies. In that situation, the user isn’t necessarily acting recklessly — they’re responding to a scenario engineered to feel routine and trustworthy, using credentials the attacker already possesses.
3 ways organizations can prevent prompt bombing
1. Switch to phishing-resistant and fatigue-resistant MFA methods
Push notifications represent the most exploitable form of MFA in common use today. Phishing-resistant alternatives — such as FIDO2 security keys, hardware tokens like YubiKey, or number-matching codes generated by authenticator apps — are significantly harder to exploit.
Specops Secure Access integrates with over 15 identity providers and offers these fatigue-resistant options for Windows logon, RDP, and VPN connections, enabling organizations to phase out push-only MFA for high-risk access scenarios.
 |
| Specops Secure Access |
2. Stop compromised passwords at the source
MFA prompt bombing can only work when the attacker already holds a valid password. By continuously scanning Active Directory against an up-to-date database of breached passwords and enforcing an immediate reset whenever a match is found, organizations remove the essential ingredient for this attack. Standard built-in Active Directory password policies aren’t sophisticated enough to catch reused, modified, or previously breached passwords. For a no-cost starting point, Specops Password Auditor performs a free, read-only scan of your AD, flagging issues such as compromised credentials and dormant admin accounts.
 |
| Specops Password Auditor |
3. Enrich logins with risk-based signals
Conditional access policies that evaluate factors like geographic location, device health, and login timing can automatically block an attempt or require stronger authentication before a single prompt reaches the user’s phone. This shifts the burden away from relying solely on user judgment and instead adds real-time context that can prevent suspicious logins from ever escalating into full account compromises.
MFA remains essential — but not all factors are equal
MFA prompt bombing isn’t an argument against using MFA — it’s a wake-up call about the limitations of weaker authentication factors. When approval requests can be spammed relentlessly with little meaningful context, the control becomes far easier to manipulate than intended.
If push notifications are still your go-to second factor, it’s time to reassess. Number-matching or phishing-resistant authentication methods strengthen the MFA mechanism itself, while proactive scanning for compromised passwords ensures attackers never get a foothold with the first credential. Ready to upgrade your identity security with stronger MFA? Get in touch with Specops.
