MFA Prompt Bombing: A Guide for Small Businesses

Publication date: May 31, 2024

Last Published: May 31, 2024

Table of Contents
Read Time : 4 minutes

Virtually all cybersecurity professionals, including us at OSIbeyond, recommend multi-factor authentication (MFA) as one of the most effective cybersecurity practices for increased protection against unauthorized access to sensitive information and systems. 

However, cyber criminals never rest (at least not collectively), and they’ve already come up with an effective method to bypass MFA. The name of this new tactic is MFA prompt bombing (also called MFA push bombing), and, in this article, we’ll tell you everything you need to know about it so that you can effectively protect your business. 

What Is MFA Prompt Bombing and How Does It Work?

MFA prompt bombing is a cybersecurity tactic wherein attackers repeatedly send MFA authentication requests to a target’s device until the overwhelmed user approves one of them, inadvertently granting the attacker access.

This method has become a hallmark of notorious groups such as Lapsus$ and the state-sponsored Russian hacking group Cozy Bear. The former group used the technique to gain access to Cisco’s and Uber’s networks, while the latter group has been relying on it to infiltrate organizations around the world. 

An MFA prompt bombing attack starts when an attacker obtains a victim’s primary login credentials (username and password), either through phishingdata breaches, or other means. Once they have these credentials, the attackers initiate the MFA prompt bombing, which usually goes something like this: 

  1. Using the stolen credentials, the attacker attempts to log into the victim’s account, which triggers an MFA request, most commonly in the form of a push notification or automated phone call.
  2. The attacker keeps sending more and more MFA requests (either manually or automatically), which frustrates the victim. 
  3. Victims, bombarded with incessant prompts or calls, may eventually accept an authentication request to make them stop. This grants the attacker unauthorized access to the account.

Sometimes, attackers combine MFA prompt bombing with spear-phishing. They may pretend to be customer support employees informing the victim that there is an issue with their account and that it requires immediate attention. In this guise, they urge the victim to approve the MFA request or, when it comes to SMS authentication messages, share the code with them to “resolve” the supposed issue or to stop the incessant notifications.

Can MFA Prompt Bombing Attacks Be Stopped? 

The short answer is yes, MFA prompt bombing attacks can be stopped. The longer answer is that stopping them requires a combination of user awareness, more robust MFA authentication methods, and monitoring with automated early response:

  • User awareness: MFA prompt bombing attacks work largely because users are not aware of their existence. When they keep receiving endless authentication requests, it doesn’t occur to many that they might be under attack; they might simply think there is a glitch. Education is key. By informing users about what MFA prompt bombing is and how to respond (namely, not to approve suspicious or unsolicited MFA prompts), organizations can significantly reduce the likelihood of these attacks succeeding.
  • Robust MFA authentication: While technically more secure than SMS codes or phone calls (which are vulnerable to SIM-swapping attacks), simple MFA authentication prompts that can be approved with a single tap on a mobile device leave the most room for security breaches through prompt bombing. Why? Because users may trigger them by mistake when trying to dismiss the notification or doing something completely unrelated on their device. That’s why organizations should implement more interactive MFA methods that require a conscious action, such as entering a code from an authenticator app or inserting and verifying a hardware security key. 
  • Monitoring with automated early response: Last but not least, organizations should look for early signs of MFA prompt bombing and set up an automated early response system that can block additional attempts after a certain number of failed attempts, limit the number of MFA requests allowed within a specific timeframe, or restrict access to specific geographical locations or IP addresses. The system should also alert the IT department so that the incident is investigated further. 

By combining these three defense strategies, organizations can significantly strengthen their security posture against MFA prompt bombing attacks. 


MFA prompt bombing is a growing threat that businesses should be aware of and prepared to counter. The good news is that the right cybersecurity strategies make it possible to effectively neutralize this risk. 

At OSIbeyond, we offer a range of managed IT and cybersecurity services designed to keep your organizations safe, including advanced MFA solutions and comprehensive employee training programs. For more information on how OSIbeyond can help protect you from MFA prompt bombing and other cybersecurity threats, contact us today

Related Posts: