MFA Fatigue — Solving Microsoft 365

MFA fatigue (sometimes called MFA bombing or push fatigue) is an attack pattern where an attacker who has stolen credentials triggers repeated MFA push notifications to the legitimate user. The attacker hopes the user will eventually approve one — accidentally, out of frustration, or to make the notifications stop. Mitigated by number matching (the user must enter a number shown on the sign-in screen, not just tap Approve), context information in the push (showing the sign-in app and location), risky-sign-in policies in Identity Protection that block obvious anomalies, and phishing-resistant MFA (FIDO2 / passkeys / Windows Hello) which can't be triggered remotely by an attacker. Microsoft enables number matching by default in tenants.