MFA Prompt Bombing: Why Push-Based Multi-Factor Authentication Is No Longer Enough to Stop Account Takeover
Attackers no longer need to steal your second factor. They just need to send enough push notifications until a user approves one. MFA prompt bombing is live against enterprise VPNs, Microsoft 365 and Okta today and the fix is not adding more factors.

Smartphone showing repeated MFA push notification requests representing an MFA prompt bombing account takeover attack
Multi-factor authentication was designed to solve a specific problem. Even if an attacker steals a user's password, they cannot log in without the second factor. That logic remains sound in theory. In practice, attackers have simply moved around it, and the technique they are using does not require intercepting a one-time password, cloning a hardware token, or bypassing any technical control. It requires sending a push notification repeatedly until a tired or distracted user taps Approve.
The technique is called MFA prompt bombing, and it is an active threat to any enterprise that relies on push-based authentication for VPN access, Microsoft 365, Okta, Duo, or any other platform where the second factor is delivered as a mobile approval request. It is not a theoretical vulnerability. It is a documented technique in active use against the same authentication infrastructure that organisations across the GCC and MENA region have deployed as their primary post-password defence. GCC cybersecurity leaders have warned consistently that the region's identity security posture must change fundamentally, and the rise of prompt bombing represents exactly the kind of attack that makes that change urgent.
How the Attack Works
The attack requires three conditions. First, the attacker must possess valid account credentials, typically sourced from credential dumps circulating on criminal markets following historical data breaches. Second, the target organisation must use push-based MFA on an internet-facing system such as a VPN, corporate email portal, or remote desktop gateway. Third, the victim must receive a notification each time the attacker attempts login.
With credentials in hand, the attacker repeatedly attempts to authenticate to the target portal. Each attempt sends a push notification to the victim's registered device. The attacker is betting on one of several outcomes: the user approves the notification by accident while managing other alerts, the user approves it to make the notifications stop, or the user approves it at an inattentive moment such as early morning or late at night.
This is not a new concept, but the scale and automation with which it is now deployed has changed the risk calculus entirely. AI is already being used to accelerate credential stuffing, phishing, and exploit discovery at speeds and volumes that manual defences cannot match. Prompt bombing fits naturally into this automated attack pipeline, requiring minimal human effort once valid credentials are in hand.
The attack has also been operationally combined with other identity attack vectors. The EvilTokens PhaaS platform bypassed MFA entirely by hijacking OAuth consent flows rather than targeting the second factor directly, compromising over 340 Microsoft 365 organisations in five weeks. Prompt bombing represents the social engineering variant of MFA bypass, while OAuth hijacking represents the technical variant. Security teams must defend against both simultaneously.
Why the Standard Advice Falls Short
The typical response to MFA bypass concerns is to recommend adding more factors or switching to a stronger second factor type. That advice is not wrong, but it misdiagnoses the problem. Prompt bombing does not exploit a weakness in the authentication technology. It exploits a weakness in human behaviour under notification pressure. Any push-based system where a human must approve an authentication attempt is potentially vulnerable to this approach, regardless of the underlying platform.
The Verizon DBIR 2026 confirmed that the time available for defenders to respond to threats has collapsed dramatically as AI compresses exploit timelines. In this environment, relying on a human to make a correct real-time judgement about whether a push notification is legitimate, under repeated notification pressure and potentially at an inattentive moment, is not a security control that can be relied upon at scale.
The More Meaningful Controls
Number matching is the most impactful single control available against prompt bombing without replacing the MFA platform entirely. It requires the user to enter a code displayed on the login screen into their authenticator app rather than simply tapping Approve, eliminating the main attack vector because the attacker cannot supply the matching number. Microsoft Authenticator, Duo, and Okta Verify all support number matching and it should be enabled as a mandatory requirement rather than an optional feature.
Additional context in push notifications, including the geographic location of the login attempt, the device used, and the time of day, gives the user enough information to recognise that the notification is fraudulent without relying solely on instinct to question an unexpected alert.
Rate limiting on failed authentication attempts prevents the attacker from sending continuous notification storms. Most enterprise MFA platforms support configurable lockout thresholds after a defined number of failed push attempts, and these should be set aggressively for internet-facing authentication endpoints.
For the highest-risk access points, privileged accounts, financial systems, and production infrastructure, phishing-resistant MFA using hardware security keys or passkeys removes the push approval step entirely. These factors cannot be socially engineered because there is no human approval action for an attacker to manipulate. Identity security in the GCC analysis confirms that the shift to phishing-resistant factors for privileged access is no longer a forward-looking aspiration but an immediate operational requirement.
The Email and Collaboration Surface
One important but often overlooked dimension of prompt bombing risk is that the credentials required to initiate the attack are frequently obtained through email-based phishing. Email remains enterprise cybersecurity's biggest liability in the GCC, with AI-powered phishing kits now capable of producing highly personalised lures at scale. Addressing prompt bombing in isolation from the broader credential theft pipeline that enables it produces an incomplete defence.
The complete mitigation requires both reducing the effectiveness of prompt bombing through the technical controls above, and reducing the frequency with which valid credentials reach attacker hands through phishing-resistant email security, strong password hygiene, and credential breach monitoring.
The GCC Enterprise Posture
For security teams across Saudi Arabia, the UAE, and the wider Gulf, the practical review should start with an audit of every push-based MFA deployment in the environment. Which systems use push? Are number matching and contextual information enabled? Are authentication failure rates monitored for bursts consistent with prompt bombing? Are privileged and high-value accounts protected by phishing-resistant factors rather than push approval?
The UAE records more than 800,000 daily cyberattacks, a volume that reflects a persistent, automated threat environment in which identity is the primary target. In that context, any authentication system that depends on a human making the right decision under repeated automated pressure is a control that will eventually fail.
MFA remains essential. The point is not that it should be abandoned. It is that push-based approval without additional safeguards is now a known, actively exploited attack surface that deserves the same immediate attention as any other critical vulnerability in the enterprise authentication stack. Gulf businesses must now plan for sustained, multi-week attack campaigns, and an authentication layer that can be bypassed through persistence and social pressure is not one that will hold under that kind of sustained pressure.
Salma Mubarak
Cloud Security & AI Security ContributorSalma is a cloud security architect and AI risk analyst specializing in DevSecOps, SaaS security, and infrastructure protection. She focuses on identifying cloud misconfigurations, AI vulnerabilities, and implementing zero-trust security frameworks for modern organizations.
At MENA Cyber Wire, Salma breaks down complex cybersecurity and AI risk concepts into clear, practical insights for founders, IT managers, and security professionals across the MENA region.