title: Multi-Factor Authentication Fatigue (MFA Bombing) Attack (THREAT-EntraID-MFAFatigue)
id: df00tech-threat-entraid-mfafatigue
status: experimental
description: "MFA fatigue (also called MFA bombing or push flooding) is a social engineering technique where an attacker who has obtained valid credentials uses repeated MFA push notifications to wear down the victim into approving an authentication request out of annoyance or confusion. Scattered Spider pioneered this at scale, compromising MGM Resorts, Caesars Entertainment, and numerous UK-based organisations. The attacker sends dozens of Authenticator app push notifications in rapid succession, sometimes at 3am to catch sleeping victims, until one is approved. Some variants include calling the victim while bombing, claiming to be IT support (vishing), and guiding them to approve the 'legitimate' request. NCSC and CISA issued a joint advisory on this technique in 2023. With valid M365 credentials available from password spray or phishing, MFA fatigue is the primary way Scattered Spider bypasses MFA."
references:
  - https://attack.mitre.org/techniques/THREAT-EntraID-MFAFatigue/
  - https://df00tech.com/detections/THREAT-EntraID-MFAFatigue
author: df00tech
date: 2026/04/25
tags:
  - attack.threat-entraid-mfafatigue
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Users with intermittent mobile connectivity who have multiple MFA push notifications queued and delivered in rapid succession
  - Automated system accounts or service principals that trigger MFA in rapid succession during batch processing
  - MFA enrollment flows that trigger multiple notifications during the enrollment wizard
  - Users testing their own MFA setup by repeatedly triggering and denying prompts
level: high