MFA Prompt Bombing: Why Your Second Factor Isn't Saving You
MFA Prompt Bombing: Why Your Second Factor Isn't Saving You
The Hacker NewsMay 26, 2026Password Security / Social Engineering
Multi-factor authentication (MFA) was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn't log in without the second factor. While that logic was sound, attackers have now figured out that they don't need to steal the second factor: they just need the user to hand it over.
If your workforce authenticates with push-based MFA, this attack is a live threat to your organization today. Tools like Specops Secure Access are built specifically to close that gap, but before getting into the fix, it's worth understanding how this technique works.
How MFA prompt bombing works
The attack requires three key elements to work:
Valid account credentials, usually sourced from breached password dumps on the dark web A login portal that uses push-based MFA (such as a VPN, Microsoft 365, Okta, or Duo) A victim who is alerted every time the attacker tries the login
Attackers repeatedly trigger the prompt, attempting to trick the target or wear them down to approve the request. Sometimes, attackers will pair prompt bombing with a vishing call pretending to be from IT, where they will try to socially engineer the target. The danger is that these methods only need to work once.
If the prompt is approved, the attacker is logged in as that user. Security systems typically won't be alerted, as the login looks entirely legitimate.
The Cisco breach
The 2022 Cisco breach is a key example of how effective this technique is against even mature security programs. An attacker linked to the Yanluowang ransomware group compromised a Cisco employee's personal Google account, which was syncing browser-stored credentials, including the employee's Cisco VPN password.
From there, the attacker pushed MFA prompts to the employee's phone. That initially didn't work, so they began using vishing calls posing as trusted support organizations, speaking in various accents, and eventually convincing the employee to accept a push notification.
Once accepted, the attacker had VPN access as the employee. They then enrolled their own devices for MFA to maintain persistence, escalated to administrative privileges, reached Citrix servers and domain controllers, and exfiltrated around 2.8GB of data before being evicted. The fact that prompt bombing worked against a company like Cisco, which is far from having a weak security posture, highlights just how dangerous and effective the attack has become.
Why push MFA doesn't eliminate risk
The issue with push-based MFA is that users are asked to approve or deny a login with very little to go on. There's no clear indication of where the request originated, what device is being used, or whether the login attempt was initiated by the user at all. In isolation, that might be manageable. But when prompts start arriving repeatedly, it's easy to assume something's misfiring rather than recognizing it as a potential attack.
If that's paired with a well-timed phone call from someone posing as IT support, the situation becomes even harder to assess. At that point, the user isn't acting carelessly, but responding to a scenario designed to feel routine and legitimate, using credentials the attacker already has.
3 ways organizations can prevent prompt bombing
1. Use fatigue and phishing-resistant MFA factors
Push notifications are the weakest common form of MFA. Phishing-resistant factors such as FIDO2 security keys, hardware tokens like YubiKey, or number-matching codes from authenticator apps are harder to abuse.
Specops Secure Access supports more than 15 identity providers and includes these fatigue-resistant options for Windows logon, RDP, and VPN connections, so organizations can retire push-only MFA for high-risk access points.
Specops Secure Access 2. Block compromised passwords at the source
Prompt bombing is only made possible when the attacker already has a valid password. Scanning Active Directory (AD) continuously against a live database of breached passwords, and forcing a reset when a match appears, removes the fuel for the attack. Relying on default AD password policies won't catch reused, incremental, or breached passwords. If you don't know where you stand today, Specops Password Auditor is a free, read-only scan of your AD that flags vulnerabilities like compromised passwords or inactive admin accounts.
Specops Password Auditor
3. Add risk signals to the login
Conditional access policies that factor in geography, device posture, and login times can block or step up authentication before a prompt is ever sent to the user's phone. This reduces reliance on user behaviour alone and introduces real-time context to stop suspicious logins before they escalate into successful account compromise.
MFA still matters
MFA prompt bombing isn't a reason to move away from MFA, but it does highlight where some factors fall short. When approval requests can be triggered repeatedly with no meaningful context, the control becomes easier to influence than intended.
If push is still your default second factor, it's worth revisiting that decision. Number matching or phishing-resistant methods strengthen the MFA method itself, while scanning for compromised passwords limits the risk of attackers possessing the first authentication step. If you're looking to evolve your identity security with more robust MFA, talk to Specops.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet Share Share Share
SHARE Active Directory, cisco, cybersecurity, Identity Security, Multi-factor Authentication, password security, ransomware, Social Engineering, VPN Security
⚡ Top Stories This Week
Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software
Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos
Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems
NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective
The New Phishing Click: How OAuth Consent Bypasses MFA
Developer Workstations Are Now Part of the Software Supply Chain
⭐ Featured Resources
Claim ANY.RUN Anniversary Offer for Faster Malware Analysis
[Guide] Learn to Detect AI Typosquatting Risks in Your Domain
[Guide] Get Key Identity Security Insights From 2026 Snapshot
Discover How to Navigate the Era of Constant Cyber Exposure
Cybersecurity Webinars
With HD Moore (Creator of Metasploit) Learn How to Detect Threats Beyond Zero Day Attacks Learn practical strategies to detect and defend against cyber threats beyond zero-day vulnerabilities. Register
Tired of False Positives? Validate Automated Pentesting Results Before Acting Learn how to validate automated pentesting results for accurate security decisions. Register
⚡ Latest News
Cybersecurity Resources
AI Is Reshaping Every Attack Surface. Train for What's NextSANSFIRE 2026 in D.C. brings 50+ courses, AI-focused sessions, and NetWars. July 13–18. Save $500. Your VPN is Helping Attackers Move as Fast as AIAI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk ManagementLead the future of cybersecurity risk management with an online Master’s from Georgetown.
Expert Insights Articles Videos
You Can't Patch Your Way Out of This One
May 25, 2026 Read ➝
How to Test Ransomware Recovery Without Reinfecting Your Environment
May 25, 2026 Read ➝
The Scam Before the Game: CTM360 Reveals Threats Targeting FIFA World Cup 2026 Fans
May 25, 2026 Read ➝
7 Signs Your Organization Is Vulnerable to Business Email Compromise
May 18, 2026 Read ➝
Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.