MFA Fatigue Attacks: The Trick That Is Bypassing Your Business Login Security
Multi-factor authentication was supposed to be the answer. And for years, it was enough to stop most attackers cold. But cybercriminals adapt fast – and they have found a devastatingly simple way around MFA that does not require any technical skill whatsoever. It is called an MFA fatigue attack, and it has already been used to breach major organisations including Uber, Microsoft, and Okta. For Australian small businesses, understanding this attack is urgent – because the tools to stop it are already available, and the cost of being unprepared is significant. What Is an MFA Fatigue Attack? An MFA fatigue attack – also called MFA push bombing – is a social engineering technique where an attacker who already has a victim’s username and password floods their phone with repeated authentication push notifications. The goal is simple: annoy or confuse the target into approving a login they did not initiate. Here is how it unfolds: Some attackers pair this with a phone call pretending to be from IT support, creating urgency and accelerating the approval. The entire attack requires zero technical exploitation on the attacker’s part. Learn how Netlogyx Security Awareness Training protects your staff Why MFA Fatigue Attacks Are So Effective Against SMBs Most small and medium businesses have deployed basic MFA – often the simple “approve/deny” push notification style. While this is far better than no MFA, it creates the exact vulnerability that MFA fatigue exploits. The reasons SMBs are particularly exposed: The MFA fatigue attack works because it exploits human psychology, not technical vulnerabilities. How to Protect Your Business Against MFA Fatigue The good news is that this attack is entirely preventable. Here is what Netlogyx recommends: 1. Switch to Number Matching MFAAuthenticator apps like Microsoft Authenticator now support number matching – the app shows a number that must match what appears on the login screen. This stops blind approvals dead. 2. Enable Additional Context in Push NotificationsShow the user the geographic location and the device making the request. An approval prompt showing “Login attempt from Romania” is much harder to accidentally approve. 3. Move to Phishing-Resistant MFAFIDO2 hardware keys (like YubiKeys) or passkeys are the gold standard. They cannot be intercepted, bypassed, or bombed. 4. Implement Conditional Access PoliciesBlock login attempts from unexpected countries, unusual devices, or outside of business hours where possible. 5. Train Your StaffEmployees should know to never approve an MFA request they did not initiate – and to immediately call IT support if they receive unexpected push notifications. Explore our Vulnerability Management service to identify credential exposure risks The Broader Picture: Credential Security in 2026 MFA fatigue attacks are one part of a broader credential security problem. Billions of username and password combinations are available for sale on the dark web right now. Attackers can automate credential stuffing attacks at scale – trying stolen logins against your Microsoft 365, Google Workspace, or accounting software with no effort. The ACSC’s Essential Eight framework recommends implementing phishing-resistant MFA as a priority control for all Australian businesses. This is not bureaucratic box-ticking – it is the direct response to the attack methods being used against Australian businesses today. Read about our Managed IT Support and security posture management Is Your MFA Implementation Actually Protecting You? Basic push approval MFA is no longer enough. Netlogyx can audit your current authentication setup, identify exposure to MFA fatigue attacks, and upgrade your controls to phishing-resistant methods — without disrupting your team. Frequently Asked Questions Q: We already have MFA set up. Are we protected from MFA fatigue attacks?A: Not necessarily. If you are using simple push notification approval without number matching or additional context, you remain vulnerable. The type of MFA matters as much as having it in the first place. Q: What is the most secure form of MFA for a small business?A: FIDO2 hardware security keys are the gold standard and are completely immune to MFA fatigue and phishing. For businesses not ready for hardware keys, number matching combined with contextual push notifications is a strong step forward. Q: How do I know if my accounts are being targeted?A: Unexpected MFA push notifications are the clearest warning sign. Staff should be instructed to report these immediately. Monitoring sign-in logs for repeated failed attempts is also essential. Do Not Let a Tired Employee Be Your Weakest Link MFA fatigue attacks are a reminder that technology alone does not create security. People are always part of the equation – and attackers know it. The solution is not to blame your staff. It is to give them better tools and better training so that approving a malicious login becomes impossible, not just unlikely. Netlogyx keeps Australian SMBs ahead of exactly these kinds of evolving threats. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read MorePhishing Attack Prevention: What the Booking.com and Super Fund Attacks Teach Australian SMBs
When hackers compromised Booking.com’s supply chain in April 2026, the real attack started the next day with a flood of hyper-targeted phishing emails to genuine customers. When 20,000 Australian superannuation accounts were drained in the April 2025 super fund attacks, the attackers did not hack the funds. They used credentials stolen from unrelated breaches to log in as the real members. Every day in Australia, phishing emails, smishing texts, and vishing calls are bypassing technology and walking straight into inboxes that belong to trusted staff. Phishing attack prevention is no longer about training staff to spot bad grammar. It is about rebuilding the layers of defence that assume one email will get through, because it will. Why 2025 Was the Year Phishing Got Personal The modern phishing attack is almost unrecognisable compared to five years ago. In 2025 and 2026, Australian businesses are facing: The ACSC recorded over 84,700 cybercrime reports in FY2024-25, with business email compromise, identity fraud, and phishing dominating the categories. The Booking.com Supply Chain Phishing Attack In April 2026, Booking.com confirmed that attackers had accessed customer names, emails, addresses, and booking details via a compromised third party. The immediate follow-up was a wave of convincing phishing emails to those customers, referencing real bookings and asking for payment “verification.” This is the phishing attack of 2026: legitimate data stolen from one source, weaponised against real customers the next day, with specific and verifiable detail that defeats traditional detection. The Super Fund Credential Stuffing Attack In April 2025, more than 20,000 super accounts across AustralianSuper, REST, Hostplus, Australian Retirement Trust, and Insignia Financial were compromised. Attackers did not breach the super funds. They used credentials stolen from unrelated data breaches, betting that users had reused the same password. Four AustralianSuper members lost a combined $500,000. A 74-year-old Queensland woman lost $406,000 overnight. The attack was pure phishing-derived credential harvesting combined with password reuse. The Six Layers of Modern Phishing Attack Prevention Technology alone will not stop phishing. People alone will not either. Modern phishing attack prevention requires six overlapping layers: Recommended Link: Security Awareness Training That Actually Works The Process Controls That Matter as Much as Technology Technology stops the easy attacks. Process stops the sophisticated ones: Recommended Link: Email and Office 365 Security for Australian Businesses How Confident Are You That Your Next Phishing Email Will Be Caught?Phishing attack prevention is now a layered discipline. A single control is not enough. Frequently Asked Questions Q: What is the single most effective phishing attack prevention control?A: Phishing-resistant MFA on every business system. Microsoft’s own data shows it blocks more than 99.9% of automated credential attacks. It is not perfect, but nothing else comes close. Q: How often should staff receive phishing training?A: Quarterly at minimum, with monthly phishing simulations for high-risk roles such as finance, executive assistants, and HR. Annual training alone is not enough. Q: If a staff member falls for a phishing email, who is responsible?A: This is why a “pause and verify” culture matters. Staff who report incidents quickly should be supported, not punished. Blame cultures make phishing worse because staff hide mistakes. The Booking.com incident, the super fund attack, the Qantas call-centre compromise, and every other major 2025-2026 Australian breach share one common feature: phishing, in some form, was the entry point. Phishing attack prevention is no longer an IT checkbox. It is the front line of your entire business. The question is whether you are treating it that way today, or whether you will be explaining to customers why you did not. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read More