How the Attack Works
Multi factor authentication was designed to stop attackers who steal passwords. However, a technique known as prompt bombing or push fatigue now targets the human element instead of the technical one. Attackers begin with credentials obtained from data breaches or dark web marketplaces. They then attempt to log into any service that uses push based MFA, such as a corporate VPN or a cloud productivity platform. Each login attempt sends a push notification to the legitimate user’s device. The attacker triggers these notifications repeatedly, sometimes dozens of times in rapid succession. The goal is to annoy or confuse the user into approving one of the prompts just to stop the alerts.
In more sophisticated versions of this attack, the criminal pairs the notification storm with a phone call. The caller impersonates an IT help desk employee and claims the user must approve a security prompt to fix an account issue. If the user accepts, the attacker gains immediate access to the account. Because the login uses a valid credential and a legitimate second factor approval, security monitoring tools often treat the session as normal user behavior.
Real World Impact
The 2022 breach at Cisco illustrates the danger of this technique. An attacker linked to a ransomware group compromised a Cisco employee’s personal Google account, which had synced browser stored passwords including the corporate VPN credential. The attacker then flooded the employee’s phone with MFA push requests. When the employee did not approve those, the attacker switched tactics and called the employee while pretending to be a trusted support organization. After several calls, the employee eventually approved a push notification. The attacker then had full VPN access and enrolled their own device as a new MFA factor to maintain persistent access.
This attack vector remains active and affects any organization using push based authentication from vendors like Microsoft, Okta, or Duo. Mitigation strategies include switching to number matching or requiring users to enter a code displayed on the login screen rather than simply tapping approve. Security awareness training should also warn users about unsolicited calls claiming to be from IT support.
Source: The Hacker News
