MFA Prompt Bombing: Push-Based 2FA Exploitation Explained

Multi-factor authentication (MFA) was designed to close a critical gap in identity security by requiring a second factor beyond passwords. However, attackers have developed a technique called MFA prompt bombing that eliminates the need to steal the second factor entirely. Instead, threat actors repeatedly trigger push notifications to the victim's device, attempting to wear down users into approving the request. This attack requires three elements: valid credentials from data breaches, a login portal using push-based MFA (such as VPN, Microsoft 365, Okta, or Duo), and a victim who receives the notifications. Security teams should verify whether their organization's credentials have been exposed using tools like our email breach checker.

The 2022 Cisco breach demonstrates how devastating this technique can be against even mature security programs. Attackers linked to the Yanluowang ransomware group compromised a Cisco employee's personal Google account, which was syncing browser-stored credentials including the employee's Cisco VPN password. The threat actor pushed MFA prompts to the employee's phone, and when that failed, they initiated vishing calls pretending to be trusted support organizations. By using various accents and social engineering tactics, they convinced the employee to approve a push notification, granting VPN access. The attacker then enrolled their own devices for MFA persistence, escalated to administrative privileges, reached Citrix servers and domain controllers, and exfiltrated approximately 2.8GB of data before being detected.

The fundamental weakness in push-based MFA is the lack of contextual information provided to users. Recipients receive approval requests with minimal details—no clear indication of the request's origin, device type, or whether they initiated the login attempt. When these prompts arrive repeatedly, users often assume technical malfunctions rather than recognizing an active attack. Organizations should implement controls to detect credential stuffing attempts and encourage employees to use dedicated password checker tools to ensure their credentials aren't compromised. Security awareness training must emphasize that legitimate IT departments will never request MFA approval via unsolicited calls. The Cisco incident proves that even well-resourced security programs remain vulnerable to persistent social engineering combined with push notification exploitation.