MFA Fatigue Attack

Experience an MFA push-bombing attack and learn how to defend against it.

What Is MFA Fatigue Attack?

Multi-factor authentication blocks more than 99% of automated account attacks - which is exactly why attackers have learned to target the human in front of the prompt. In this exercise, you experience a real-world MFA fatigue attack. Late at night, after a long day, you start receiving push notifications for sign-in attempts you did not make. You correctly deny the first two. Then a WhatsApp message arrives from someone claiming to be the IT Help Desk, telling you that the prompts are part of routine maintenance and you should approve the next one. Tired and trusting the message, you approve. The next morning you wake up to discover your account was used to attempt a vendor wire-transfer fraud. You walk through the aftermath: investigating what happened, calling the real IT team to confirm the attack, filing a formal incident report, and learning the four controls that defeat fatigue attacks - habits like denying every prompt you did not initiate and treating off-channel 'IT' messages as hostile, plus technical settings like number-matching MFA and phishing-resistant hardware keys. The simulation is modeled on the 2022 Uber breach, where the same combination of push spam plus a WhatsApp message gave the attacker broad internal access. Knowing the pattern is the defense.

What You'll Learn in MFA Fatigue Attack

MFA Fatigue Attack — Training Steps

  1. Wrapping Up for the Night

    It's a few minutes past 11 PM on a Thursday. Alice has just sent the last email of the day - a routing update for tomorrow's freight schedule - and is about to shut her laptop. Her phone is on the desk beside her, charging. MFA is enabled on her work account. She sleeps better knowing it's there.

  2. An Unexpected Sign-In Request

    Alice's phone buzzes with an MFA push notification. Someone is trying to sign in to her Northridge Logistics Portal account. She's already signed in on her laptop. She did not initiate any new login.

  3. Denying the First Prompt

    This sign-in is not Alice's. The right move is to deny it immediately.

  4. Another One, Right Away

    Before Alice can put her phone down, a second MFA push arrives. Same account, same Sofia IP. The attempt counter on the prompt now reads Attempt #2 . Whoever has her password is not giving up.

  5. A Message from "IT"

    While Alice is staring at her phone wondering what's going on, a WhatsApp message arrives from someone identifying themselves as Northridge IT Help Desk . The contact is not in her phone book.

  6. Reading Between the Lines

    On a normal day, Alice would notice the red flags in this message. But it's after 11 PM, she's tired, and the message uses the right vocabulary - 'credential rotation', 'session re-validation', 'Help Desk'. A real attacker is counting on exactly that fatigue.

  7. The Push That Decides It

    Right on cue, a third MFA push arrives. Alice rationalizes: maybe IT really is doing maintenance. Approving once will end the noise so she can sleep. She taps Approve.

  8. A False Sense of Quiet

    The prompts stop. Alice exhales, plugs in her phone, and goes to sleep. In Sofia, the attacker is now logged in to her Northridge Logistics Portal account. They have about twenty minutes before the company's anomaly detection picks up the foreign login.

  9. An Email That Doesn't Add Up

    Alice settles into her home office with a coffee. Her inbox has a couple of overnight messages. The first is from David Park in Finance, and the subject line stops her cold.

  10. The Pieces Start Fitting Together

    Alice did not send that email. She doesn't even handle vendor banking. Her stomach drops.