The phone buzzes at 1:47 in the morning.
You pick it up, half-blind in the dark, and see a notification from the app your employer installed on your phone last spring. It wants you to approve a login. You do not remember trying to log in. You tap Deny and drop the phone back on the nightstand.
It buzzes again at 1:51.
You tap Deny, faster this time, already irritated.
At 1:58 you stare at the ceiling for a while, wondering if something is wrong with the system. At 2:04 you tap Deny and mumble something that would not be printable in a family publication. By 2:17, after seven or eight of these things, your thumb finds the Approve button before your brain has fully processed what it is doing.
They are in now. The door is open, the lights are on, and everything behind it belongs to someone who had your password and enough patience to wait you out.
What you just experienced has a name. Security researchers call it MFA fatigue, or push bombing. It is not a virus. It is not a piece of malicious software. It is not even particularly complicated from a technical standpoint. It is, at its core, an attack on you. On the part of you that gets tired at two in the morning. On the part of you that wants the buzzing to stop. And it works with a consistency that, once you understand the underlying mechanics, is genuinely alarming.
This is the story of how that attack was built, how it spread, and what -- if anything -- can stop it.
The Foundation
Before push bombing made any sense as an attack, something else had to be true first. The people responsible needed to know your password.
In the broader story of digital crime, passwords were failing before most people noticed. Since at least 2017, but with serious acceleration through 2020 and into 2021, a particular kind of malicious software called an infostealer was becoming the dominant method for harvesting login credentials at scale. The names of the most prolific strains -- RedLine, Raccoon, Vidar, LummaC2 -- are not household words, but the combined damage they caused operates at numbers that are nearly impossible to reason about properly. By 2024, security researchers were tracking 3.9 billion compromised credentials originating from infections across 4.3 million devices in a single year. The most active of these programmes, LummaC2, had generated 23.3 million detections globally before law enforcement dismantled it in May 2025.
What infostealers do is straightforward in concept if disturbing in execution. They are typically delivered through cracked software downloads, fake game modifications, malicious documents, and similar lures. Once installed, they immediately and silently vacuum up everything stored in your web browser: saved passwords, active session cookies, stored credit card numbers, and authentication tokens. The whole theft takes under three seconds. The harvested data is packaged and transmitted to a collection server, then sold through dark web marketplaces and Telegram channels. Monthly subscriptions to the malware-as-a-service model ran as low as $50 and rarely exceeded $300. For that price, a buyer received a constant stream of freshly stolen credentials.
What this created, over a period of several years, was an enormous and continuously replenished supply of working usernames and passwords for virtually every kind of online service -- corporate VPNs, cloud platforms, email systems, banking portals. The credentials were sorted, packaged, and distributed in files the criminal community calls combolists. Anyone in the market for access to a particular organisation's systems could, for a modest investment, find themselves holding a valid set of login details.
The problem, from the attacker's perspective, was that a password alone was not always enough anymore.
The Second Lock
Somewhere between 2015 and 2020, a significant number of organisations had begun requiring something beyond a password before letting anyone in. Multi-factor authentication -- MFA -- had been around in various forms since the early 2000s, but its adoption accelerated sharply as credential theft became more visible. The concept is simple and sound: even if someone steals your password, they still cannot log in unless they also possess a second factor. Something you have, as opposed to something you know.
For most organisations, that second factor took the form of a smartphone app. The authentication programmes -- Duo, Microsoft Authenticator, Okta Verify, and a handful of others -- worked like this: when a login attempt was made using your credentials, the app on your phone received a notification from the company's identity management system. That notification appeared on the phone screen as a prompt with two choices: Approve or Deny. The legitimate user, presumably the one actually trying to log in, would see the prompt and tap Approve. The login would complete. The whole process added perhaps six seconds to the sign-in experience.
It was elegant. It was genuinely more secure than a password alone. And it contained, buried inside its own design, a flaw that would take a few years to fully exploit.
The flaw was this: nothing prevented an attacker from triggering that prompt without the user's knowledge or consent.
When a push notification was sent to your phone, it was triggered by a successful first-factor authentication -- meaning someone had correctly entered your username and password at a login page. If an attacker had your credentials, they could log in up to the point where the system said "now verify on your phone," and a notification would be dispatched to your device. If the attacker submitted those credentials again, another notification went out. And again. There was no technical ceiling on how many times this cycle could repeat. Many identity provider systems had no meaningful rate limiting on the process at all -- meaning no mechanism existed to detect or block ten, twenty, or a hundred consecutive failed authentication attempts against the same account.
This was not a small oversight. This was a structural invitation.
The First Reports
Mandiant, the American cybersecurity firm, published the first significant documentation of this technique being used in a live attack in December 2021. Their researchers observed threat actors executing multiple rapid authentication attempts against targeted accounts, generating a stream of push notifications in quick succession. The goal was not to crack the MFA in any technical sense. The goal was to wear the person down.
Security researchers began paying serious attention. By April 2022, MITRE -- the organisation that maintains the globally accepted catalogue of cyberattack techniques -- had formally classified push bombing as its own entry. They gave it the designation T1621: Multi-Factor Authentication Request Generation. The technique now had a name, a category, and a documented place in the taxonomy of things attackers do.
The timing was not coincidental. Push-based MFA had grown common enough that circumventing it had become commercially worthwhile. The credential supply, fed by years of infostealer proliferation, was abundant. The attack surface -- organisations using push notifications without additional verification controls -- was vast. All that was needed was patience, a handful of scripts, and a willingness to annoy someone until they gave in.
The Mechanics
Here is what the actual attack looks like from start to finish.
Step one is obtaining the credentials. The attacker may purchase combolists through a dark web marketplace, paying a few hundred dollars for access to thousands of validated username-and-password pairs. They may subscribe to a malware-as-a-service infostealer and wait for fresh harvests. They may use a phishing proxy -- a fake login page that silently relays the victim's real credentials to the attacker while displaying a convincing imitation of a legitimate service. Or they may buy access directly from what the industry calls Initial Access Brokers, specialists who obtain corporate access and sell it wholesale to other criminals.
Step two is confirming that those credentials actually work against the target organisation's authentication system. This is done through a process called credential stuffing -- automated scripts that attempt to log in using each username-and-password pair from the purchased list. Tools built specifically for this purpose, most notably a programme called OpenBullet 2 (which the FBI has specifically flagged as widely used in criminal credential stuffing operations), can distribute these attempts across thousands of different internet addresses simultaneously, evading systems designed to block suspicious login volumes from a single source.
Step three is where the push bombing begins. Once valid credentials are confirmed, the attacker uses another script to repeatedly submit those credentials to the target's login portal. Each submission triggers the identity provider to generate a push notification to the victim's enrolled device. The attacker is not trying to guess anything. They are simply knocking, over and over, and waiting for someone to open the door.
These scripts are not sophisticated pieces of software. Often no more than a few dozen lines of code, they automate what a human being with a login form could theoretically do by hand. The attack itself requires no specialised technical knowledge once the credential supply is assembled.
The timing of the campaign matters considerably. Attackers have demonstrated a clear preference for late-night hours, particularly the window between midnight and 5:00 in the morning local time. This is not arbitrary cruelty, though it functions as that. It is rational targeting. A person woken repeatedly from deep sleep is operating at a significant cognitive disadvantage. Their judgement is compromised. Their patience is exhausted. Their thumb is doing things their brain has not fully authorised.
Some attackers run the flood all at once -- fifty or sixty notifications inside a single hour. Others pace them across the course of an entire day, each buzz a small persistent reminder that something wants your attention. Both approaches work. The mechanism that makes them work is the same.
Why Your Brain Fails
It is worth spending some time here, because the psychological side of this attack is as important as the technical side, and considerably more unsettling.
In the late 1990s, psychologist Roy Baumeister and his colleagues introduced a concept they called ego depletion. The research demonstrated that self-regulation -- the cognitive capacity to make deliberate, considered decisions -- is a finite resource. Use it enough and it runs out. Later work by Kathleen Vohs established that making a long sequence of choices, even simple ones, degrades the quality of subsequent decisions regardless of how physically tired a person is. This phenomenon is called decision fatigue, and it shows up in courtrooms (parole decisions become less favourable as judges get tired), in supermarkets (people buy worse food at the end of a shopping trip), and, as it turns out, in authentication apps.
A study published in Nature Scientific Reports in 2022 found that mental fatigue specifically impairs risk-processing and the ability to learn from feedback. People under cognitive load stop carefully evaluating outcomes and start defaulting to whatever action stops the discomfort fastest. In the context of a push notification that will not stop arriving, the action that stops the discomfort is Approve.
There is also the matter of alert fatigue. This is a phenomenon studied extensively in healthcare, where overworked clinical staff began ignoring critical alarm systems because the volume of alerts was simply too high to process consciously. A 2024 SANS survey found that two-thirds of security operations teams could not keep pace with incoming alert volumes, and between 25 and 30 percent of security alerts went entirely uninvestigated. Now apply that to an individual employee receiving their sixth push notification of the morning during a busy workday.
Then there is a figure that Microsoft documented in its own ecosystem: approximately one percent of users will approve an unsolicited MFA push notification on the very first attempt. Before any fatigue. Before any sustained campaign. Before any social pressure whatsoever. One percent sounds small. In an organisation with ten thousand employees, it means one hundred people will open the door before the attacker has even started trying in earnest.
Standard push notification design compounds every one of these vulnerabilities. The prompt on your phone says something like "Someone is trying to sign in -- Approve or Deny?" and nothing else. There is no information about what device made the request, what location it came from, or what application is involved. There is no context to support an informed security decision. The user is asked to evaluate a binary choice with no data. In those conditions, under pressure, late at night, the choice that ends the discomfort reliably wins.
The Phone Call
The most effective variant of this attack pairs the notification flood with a voice call.
The attacker, or someone employed by the attacker, telephones the target while the notifications are in progress. They represent themselves as IT support, help desk staff, or a security team member. The script they use is designed to invert every protective instinct the target might have. They explain that the company's authentication system has experienced an anomaly. They say the target needs to approve the next notification to allow the security team to clear the problem. Some variants of this script suggest that if the target does not approve, a malicious actor might gain access -- precisely inverting the reality of the situation.
This tactic works so reliably that it has become a standard element of the attack playbook for organised criminal groups. A February 2026 intelligence report from the security firm Dataminr documented a successor threat group recruiting women specifically for vishing operations at rates of $500 to $1,000 per call, with pre-written scripts tailored to different corporate environments. The industrialisation of this component -- the fact that it is now a staffed, paid function within criminal organisations -- tells you something about how effectively it converts reluctant targets into cooperative ones.
Researchers have also documented attackers using internal messaging platforms to impersonate IT staff, sending written messages alongside the notification flood and providing fake incident ticket numbers to add an air of legitimacy. The attack surface expanded from the phone screen to the entire communication environment surrounding the target.
The combination of a sustained notification flood and a convincing voice call, particularly when the caller knows enough about the target's company to sound authoritative, has been described by multiple researchers as transforming what might otherwise be a low-probability event into a near-certain compromise.
The Numbers
Microsoft tracked more than 382,000 MFA fatigue attacks across its ecosystem over a twelve-month monitoring period. In August 2022, it counted 40,942 sessions involving multiple failed MFA push attempts in a single month -- a 26 percent increase from the same month the year prior. By mid-2023, the rate had settled at approximately 6,000 attempts per day across its visible infrastructure. These are only the numbers visible to one vendor, monitoring one ecosystem. The true scope is larger.
The 2025 Verizon Data Breach Investigations Report -- which annually compiles breach data from thousands of incidents globally and is considered one of the most authoritative measures of the threat landscape -- named prompt bombing as a top-tier social engineering tactic for the first time. It documented that 22 percent of all breaches in the preceding year began with stolen credentials, and that 88 percent of basic web application attacks involved compromised login information. The same report found that 54 percent of ransomware victims had their corporate credentials appearing in infostealer logs before the attack occurred, establishing a direct causal chain from credential theft through push bombing to ransomware deployment.
The technique grew in prevalence in direct proportion to the adoption of push-based MFA. The more organisations deployed it, the larger the pool of potential victims. The more viable the attack became, the more the criminal ecosystem invested in it. It is a perverse economy, and it ran with considerable efficiency for the better part of four years.
The Answer That Almost Worked
By late 2022, the major authentication vendors were under considerable pressure to address the problem. The solution they converged on is called number matching, and it is worth understanding how it works because it represents a meaningful, if incomplete, improvement.
In a standard push notification, the prompt on your phone says "Someone is trying to log in -- Approve or Deny?" and nothing else. Number matching adds one critical element: the login screen, visible only to whoever is sitting at the computer where the login is being attempted, displays a short numerical code, typically two to three digits. The authentication app requires the user to enter that code before the approval is processed.
This defeats the bombing attack cleanly. The attacker sees the code on their screen. The victim, who is not sitting at that computer, does not. Without the code, the victim cannot complete the Approve action even if they want to. The attack fails.
CISA -- the United States Cybersecurity and Infrastructure Security Agency -- published a formal guidance document on October 31, 2022, specifically endorsing number matching as the recommended interim mitigation for organisations using push-based MFA. Microsoft had introduced the feature in its Authenticator app back in November 2021 but left it optional. After watching the attack numbers climb steadily, the company removed the option to disable it on May 8, 2023, making it mandatory for all Microsoft Authenticator users across all tenants. Cisco Duo launched its equivalent, called Verified Push, in August 2022 with a configurable three-to-six digit code requirement. Okta implemented a similar feature called Number Challenge.
Microsoft's own internal data, gathered in live customer environments, was unambiguous: number matching, when enabled, eliminated MFA fatigue attacks.
That word "eliminated" has to carry an asterisk, though. Number matching solves push bombing specifically. It does not solve the broader problem of push-based MFA being an imperfect security layer. A different category of attack, called adversary-in-the-middle, uses a reverse proxy positioned between the victim and the legitimate login page. This proxy relays all authentication data in real time, including, in theory, the displayed matching code. These proxy-based attacks were already proliferating before number matching became standard. Microsoft's Digital Defence Report documented adversary-in-the-middle incidents increasing by 146 percent year over year, to approximately 40,000 detected daily. Proxy attack toolkits -- sold under names like EvilProxy, Evilginx, Tycoon 2FA, and Mamba 2FA -- are available in dark web markets with pre-configured templates for the most common enterprise authentication platforms. The threat adapted.
The Actual Solution
There is a form of authentication that is immune to push bombing, immune to adversary-in-the-middle attacks, and immune to phishing in general. It has been available for years. It is called FIDO2, and explaining why it works requires a brief detour into how it differs from everything that came before it.
When you use a password, the system verifies your identity by comparing what you typed against a stored record. The password has to cross a network to be compared, which means it can be intercepted. When you receive a push notification and tap Approve, you are sending an approval signal across a network, which means it can be manipulated or spammed. Both of these methods share a common vulnerability: at some point, a piece of information travels through a channel that can be compromised.
FIDO2, which stands for Fast IDentity Online 2, eliminates this by combining asymmetric cryptography with a physical device -- either a hardware security key (a small device resembling a USB drive with a button on it) or the biometric systems built into modern phones and laptops. When you register a FIDO2 key with a service, the key generates two mathematically linked pieces of data: a private key and a public key. The public key is uploaded to the service. The private key never leaves the hardware device. Never. It lives in a chip specifically engineered to prevent extraction under virtually any circumstances.
When you log in, the service sends a challenge to your device -- a unique piece of data tied to that specific login attempt and, crucially, to the specific web address of the service you are authenticating with. The device signs that challenge using the private key and returns the signed response. The service verifies the signature using the public key it has on file. If the verification succeeds, you are in.
Here is why this matters for push bombing: there is nothing to bomb. The attacker cannot trigger a FIDO2 authentication prompt remotely, because FIDO2 authentication requires physical interaction with the hardware -- a touch of a finger, a glance at a camera, a press of a button. There is no notification to flood. There is no Approve button to wear you down over the course of a sleepless night.
Here is why it also defeats phishing and adversary-in-the-middle attacks: the challenge includes the web address of the site requesting authentication. If an attacker sets up a fake login page at a slightly different address, the FIDO2 device will not sign the challenge, because the address does not match the one it was registered for. It refuses automatically, without asking the user to make any decision at all. The human being is removed from the equation entirely.
Google deployed hardware FIDO2 keys across its entire workforce of more than 85,000 employees and subsequently reported zero successful phishing attacks against accounts protected by the keys. Cloudflare survived a large-scale phishing campaign that successfully compromised over 130 other organisations specifically because its privileged systems had migrated to FIDO2 authentication.
CISA's formal guidance designates FIDO2 and a related standard called PKI-based authentication as "the only widely available phishing-resistant authentication" methods. The National Institute of Standards and Technology, in its Special Publication 800-63B finalised in July 2025, classifies push notifications explicitly as not phishing-resistant and mandates hardware-backed authentication for the highest security tiers. White House Memorandum M-22-09 requires the entire United States federal workforce to transition to phishing-resistant MFA. PCI DSS 4.0, the standard governing payment card security, explicitly requires FIDO-based authentication for remote access to cardholder data environments.
The direction every serious security authority is pointing is the same direction.
Where Things Stand
Push bombing, as originally executed -- a pure flood of unauthenticated prompts against a simple Approve/Deny interface -- is significantly less effective than it was in 2021 and 2022 against organisations that have implemented number matching. The major vendors deployed it under considerable pressure, and it does what the research said it would do.
But the credentials are still being stolen. The pipeline from infostealer to combolist to criminal marketplace to exploitation continues to operate at volume. In 2024, that pipeline produced 3.9 billion compromised credential sets from 4.3 million infected devices. Attackers adapted to number matching by pivoting to proxy tools that can relay authentication data in real time and capture valid session tokens after login. Those tools are commercially available, actively maintained, and specifically designed to target enterprise authentication platforms.
Simple push bombing has not disappeared. Organisations that have not yet implemented number matching remain fully vulnerable. Many such organisations exist. Organisations with large employee populations and inconsistent security policy enforcement remain partially vulnerable. The attack appears in current threat intelligence reports. It is still being used.
The larger picture is this: MFA in the form of push notifications was a meaningful improvement over passwords alone, but it was always a compromise. It offered genuine protection against most automated credential stuffing. It was not designed to resist a patient, targeted human adversary prepared to exploit the gap between what the authentication system demanded and what a tired human being could reliably deliver at two in the morning.
The authentic solution -- authentication grounded in cryptographic hardware, without shared secrets crossing the network, without remote approval prompts that can be flooded on demand -- exists. It is deployed. It works. It is just not yet the default.
Until it is, the phone will keep buzzing in the dark. And somewhere, someone is counting on the fact that you will eventually just want the noise to stop.
BEHIND THE STORY
This article draws exclusively on verified technical and statistical sources published by recognised cybersecurity authorities, vendors, and research organisations. All statistics are sourced from primary documents including Verizon's Data Breach Investigations Reports (2024, 2025), Microsoft's Digital Defence Reports and Entra Blog, CISA guidance publications (including the October 31, 2022 number matching fact sheet and the Implementing Phishing-Resistant MFA fact sheet), NIST Special Publication 800-63B (finalised July 2025), MITRE ATT&CK entry T1621 (Multi-Factor Authentication Request Generation, classified April 2022), Mandiant's December 2021 threat intelligence documentation, and published technical guidance from Cisco Duo, Okta Security, and Rapid7. No specific breach incidents, named perpetrators, or identified victims are referenced in this article. The scenarios described are composites drawn from documented attack patterns. Readers who believe their accounts may have been targeted by this technique should contact their organisation's IT security team and report suspicious authentication activity immediately.
Published by The Media Glen | Synexmedia.com | Cumberland Bay, New Brunswick, Canada