MFA Bombing - How to Protect Your Users

Introduction / Summary

For a moment, we felt a sense of security, when we implemented Multi-Factor Authentication (MFA) for our critical users, Yet, another form of attack has emerged, known as MFA bombing. This technique targets users who rely on MFA to secure their accounts, exploiting vulnerabilities in the process. In this article, we will delve into the intricacies of MFA bombing, and discuss effective strategies to mitigate this threat and better protect your users.

How Does MFA Bombing Work?

It takes advantage of the excessive MFA prompts faced by users, aiming to overwhelm them and gain unauthorized access to their accounts. This typically begins with social engineering, where attackers trick users into revealing their login credentials or personal information through phishing emails or fake websites. Once armed with the necessary details, the attackers initiate a flood of MFA prompts, bombarding the target user with numerous authentication requests. Through sheer volume and persistence, the attackers hope to exploit the user’s MFA fatigue and coerce them into approving a fraudulent request unknowingly.

Not only does this mean users are under attack, it also likely means some credentials are already compromised.

Real life examples

We still remember APT 29 (Cozy Bear), which compromised the build systems of SolarWinds’ network monitoring software Orion to distribute a backdoor into its 18,000 public and private sector customers.

In March of this year, Lapsus$ hackers leaked 37GB of source code for Bing, Cortana and other projects stolen from Microsoft’s internal Azure DevOps server.

Both attacks bypassed older forms of MFA using MFA bombing.

Another example of a high-profile MFA fatigue attack is the September 2022 Uber breach by Lapsus$.

Attacks on Uber, Microsoft, and Cisco, just to name a few, have all utilized MFA bombing to wear down their targets into submission with waves of MFA prompts, coercing them into approving their requests and allowing them to successfully complete their breach.

How to recognize the Signs of MFA Bombing?

Detecting an ongoing MFA bombing attack is challenging, given the sophistication of modern attackers. However, there are some indicators that can raise suspicion and prompt further investigation. You should look out for sudden bursts of authentication requests, repeated or rapid MFA prompts, or an influx of authentication attempts from suspicious IP addresses or devices.

Monitoring user reports of abnormal authentication experiences can also provide helpful insights.

MFA bombing methods include:

  • Sending a flurry of MFA requests, hoping the target finally accepts one to make the noise stop
  • Sending one or two prompts per day, which often attracts less attention, but can still be successful
  • Calling targets, pretending to be part of the company, and telling the targets they need to send an MFA request as part of a company process

Strategies to Protect Against MFA Bombing

The best technical prevention is a multi-layered defense. Here are a few of the things to consider:

  • If you still rely on usernames and passwords, ensure you have at least a password vault in place or a Privileged Authentication Management (PAM) solution.
  • If there is any suspicion of compromised credentials, force a password reset. Doing a reset will prevent push bombing in the future.
  • Review your MFA configuration to ensure that the access patterns make sense.
  • If you are relying on push authentication too much or to protect data that is too sensitive, consider increasing the frequency of requests for one-time passwords (OTP) using soft or hard tokens. OTP requests will be seen by the attacker in an attack scenario and not ever make it to the user.

Tighten MFA Parameters

To proactively prevent MFA fatigue attacks, the most direct course of action is to optimize the configuration of  MFA authentication processes. Enhance MFA security and oversight by implementing the following:

  • Reduce the window of time between factor authentications
  • Limit the number of unsuccessful access attempts permitted during a timeframe
  • Add geolocation or biometric requirements
  • Increase the number of factors required to grant access
  • Flag excessive numbers of unsuccessful access attempts, or any MFA

Utilize Anomaly Detection and Behavioral Analytics

Deploying advanced security tools that leverage anomaly detection and behavioral analytics can enhance threat detection capabilities. These tools monitor user behavior patterns, identify deviations from normal activity, and trigger immediate alerts for further investigation.

Implement Rate Limiting and CAPTCHA Systems

To combat the high volume of MFA prompts during an attack, organizations can enforce rate limiting mechanisms, restricting the number of authentication requests per unit of time. Additionally, implementing CAPTCHA systems can further safeguard against automated attacks by verifying if the request is coming from a human user not a bot.

Leverage AI-powered Threat Intelligence

Harnessing the power of AI and ML algorithms can aid in identifying patterns and anomalies associated with MFA bombing attacks. AI-driven threat intelligence platforms are capable of continuously analyzing vast amounts of data, proactively detecting potential threats and providing valuable insights to strengthen security defenses.

Consider Risk-Based Authentication

Risk-based authentication (RBA) is a method to send notifications or prompt the consumers to complete an additional step(s) to verify their identities when the authentication request is deemed malicious according to your organization’s security policy.

RBA allows users to log in using a username and password without presenting any additional authentication barrier while providing a security layer whenever a malicious attempt is made to access the system.

Risk-based authentication is a great security mechanism that helps overcome the challenges associated with MFA prompt bombing since it automatically detects the risks and unusual behavior from a particular account and restricts access.

Whenever an authentication request is deemed as a malicious attempt based on the risk factors defined for your application, risk-based authentication triggers one or more of the following actions according to your business requirements:

  • Email Notification – An email is sent to notify the user about the authentication request. If the user finds the authentication request malicious, they can inform the IT to take appropriate actions.
  • SMS Notification – An SMS is sent to the user’s phone number to notify about the authentication request. It gives an advantage as the user checks the SMS more frequently than email, or the consumer might not have access to the email. If the user finds the authentication request malicious, they can inform the IT to take appropriate actions.
  • Blocking User Access – The account is blocked immediately for further login attempts once specific risk criteria have been met. The user needs to contact IT to unblock the access.
  • Security Questions – This forces the user to answer one or more security questions before authenticating the request.

Educate Users on Best Practices

User awareness is paramount in combating MFA bombing and other cybersecurity threats. Organizations should conduct regular training sessions, emphasizing the importance of strong passwords, recognizing phishing attempts, and reporting suspicious activities promptly. By empowering users with knowledge, they become the first line of defense against MFA bombing attacks.

Practical advices for end users

  • Never approve a login attempt that you did not initiate yourself.
  • Always check URLs before entering login details.
  • Use an MFA that requires a code to be entered rather than just a prompt-based MFA request. 
  • Change your password – If you are receiving MFA notifications from an unknown source it is most likely your password(s) have been stolen.


As cybercriminals continue to exploit vulnerabilities in authentication processes, MFA bombing poses a significant risk to organizations and their users. To protect against this evolving threat, it is crucial to consider implementing a multi-layered security strategy that combines adaptive authentication, user education, behavioral analytics, rate limiting, CAPTCHA systems, and even AI-powered threat intelligence. By staying vigilant and proactive, organizations can defend against MFA bombing attacks, ensuring the safety and trust of their users’ accounts and data.

Free Subscription

The most comprehensive Cybersecurity agenda for leading industry executives

Connect and share niched and unique knowledge

Meet our 15-year experience in addressing international cybersecurity challenges

Register for The Conference
25th of May 2023