1 min read
MFA fatigue and how to stop push bombing
Attackers spam approve prompts until someone taps Yes. How number matching and better MFA choices help.

Multi-factor authentication still works when it is not a blind “Approve?” button.
What MFA fatigue looks like
An attacker with a stolen password triggers dozens of push notifications. A tired employee finally accepts. The attacker is in.
Better defaults
- Prefer number matching on Microsoft Authenticator
- Prefer phishing-resistant options (FIDO2 / passkeys) for admins
- Limit who can receive push prompts at all
What to tell staff
Never approve a sign-in you did not start. If prompts appear out of nowhere, change the password and tell IT immediately.
Qutzl can help harden Microsoft 365 authentication for your tenant. Contact us.
