MFA Fatigue: When the Attacker Just Asks Your Team for the Code

The reporting this week put a sharp point on something we have watched escalate all year: attackers have largely stopped trying to steal your multi-factor authentication and instead get your employees to hand it over. The phrasing in the security press is blunt: if your workforce authenticates with push-based MFA, this is a live threat to your organization today.

This is worth a clear explanation for every small business owner, because the instinct when you read it is "but we already turned on MFA." You did, and that was the right move. The problem is that the most common forms of MFA — a texted six-digit code, or a phone notification you approve with a tap — can be defeated without the attacker ever possessing your phone. Here is exactly how, and what to do about it without boiling the ocean.

Why the attack moved to the second factor

Passwords are effectively free for attackers now. Between years of breach dumps, infostealer malware that scrapes saved credentials off infected machines, and routine phishing, the password is rarely the obstacle. The brokered-credential pipeline we wrote about earlier this month sells valid Microsoft 365 logins by the thousand.

So MFA became the wall. And because it became the wall, the entire attacker economy reoriented around getting past it. They did not crack the cryptography. They went after the weakest link in the way most organizations deploy MFA: the human being holding the phone.

The three techniques hitting small business right now

1. Push bombing (MFA fatigue)

The attacker has your employee's password and simply tries to log in — over and over. Each attempt fires an approval prompt to the employee's phone. At 11 p.m., or in the middle of a busy workday, the phone lights up five, ten, twenty times. Eventually the employee taps "Approve" — to make it stop, or because they assume IT is doing something, or out of pure reflex. That one tap hands the attacker an authenticated session.

This is the simplest version and it has compromised some very large, very well-resourced companies. It works because a yes/no prompt with no context is easy to approve by mistake under pressure.

2. Adversary-in-the-middle phishing

This one defeats even a careful employee. The user gets an email — an invoice, a shared document, a voicemail notification — and clicks the link. They land on a page that looks exactly like the Microsoft 365 sign-in, because it is a proxy sitting between the user and the real Microsoft. Everything the user types is relayed live to the genuine Microsoft site. The user enters the password, gets a real MFA prompt, approves it — and the proxy quietly captures the resulting session token, the cookie that proves "this person already passed MFA."

The attacker reuses that token and is now inside the mailbox, having never needed the second factor again. The user saw a normal login and noticed nothing wrong. Off-the-shelf phishing kits automate this entire flow; it is not exotic.

3. Help-desk social engineering

The lowest-tech and one of the most effective. The attacker calls your IT help desk (or your outsourced provider) posing as an employee who is locked out or got a new phone. They ask for an MFA reset or a new-device enrollment. If the help desk verifies identity with something an attacker can find on LinkedIn — name, manager, employee ID, last four of a phone number — the attacker enrolls their own device as the new second factor and walks in the front door. Several of the year's biggest breaches started with a phone call, not malware.

What actually stops it

The good news is that the defenses are well understood and within reach for a small business. They fall into a clear priority order.

Phishing-resistant MFA is the real fix

FIDO2 security keys (such as YubiKeys) and passkeys are phishing-resistant by design. The credential is cryptographically bound to the real website's domain. When the user lands on an adversary-in-the-middle proxy, the security key looks at the domain, sees it is not the real Microsoft, and silently refuses to authenticate. There is no code to read aloud, no prompt to approve by mistake, nothing to hand over. Push bombing and AiTM both fail against it.

Passkeys are free and built into Microsoft Entra, Windows Hello, iOS, Android, and modern browsers, so most employees can enroll one on a device they already own. Hardware keys run roughly $25 to $70 each and are worth buying for the accounts that matter most: administrators, finance, owners, and anyone who can move money or change payroll. Enforce them through Microsoft Entra Conditional Access so that those roles literally cannot sign in with a weaker method.

If you cannot roll out keys this week, do these now

• Turn on number matching. Instead of a yes/no tap, the login screen shows a number the user must type into the Authenticator app. You cannot type a number you cannot see, so a blind approval spam attack fails. This is on by default in Microsoft Authenticator now, but verify it is enforced.
• Enable additional context in the Authenticator app, so the prompt shows the app name and the sign-in location. An employee in Salinas seeing a sign-in from another country is far more likely to decline.
• Block legacy authentication. Old protocols (IMAP, POP, basic auth) bypass MFA entirely. Conditional Access can turn them off. This is one of the highest-value 15-minute changes in Microsoft 365.
• Retire SMS as a factor where you can. Texted codes are phishable and SIM-swappable. Move users to the Authenticator app at minimum, keys ideally.

Lock down the help desk

Technology does not fix the phone call. Every help desk — yours or your provider's — needs a written caller-verification procedure that does not rely on public information. Good options: a callback to the number on file, verification through a manager, a one-time code sent to a pre-registered channel, or in-person/video confirmation for high-risk requests like MFA resets. We build this verification runbook into the onboarding for every client we manage, precisely because attackers have learned the help desk is the soft spot.

Back it with monitoring

Even with strong MFA, you want eyes on the identity layer. Microsoft Entra flags risky sign-ins, impossible-travel events, and suspicious MFA-registration changes. Someone has to be watching those alerts and acting on them — which is the 24/7 MDR argument we have made all month. A new device enrolling as an MFA method for your CFO at 3 a.m. is exactly the kind of signal that should wake someone up.

What this looks like for a Central Coast small business

For a typical 15-to-50-person business on Microsoft 365 Business Premium — which most of our Salinas, Monterey, and Santa Cruz clients run — nearly everything above is already licensed. Conditional Access, number matching, passkeys, legacy-auth blocking, and Entra risk detection all come with Business Premium. The work is configuration and rollout, not new purchases. The only hard cost is hardware keys for your most sensitive accounts, which is a few hundred dollars for a small team.

The realistic project is one to two weeks: enable the phishing-resistant methods, enroll users in waves so the help desk is not overwhelmed, tighten Conditional Access to require the strong method for admins and finance first and then everyone, and document the help-desk verification procedure. None of it is exotic. It is the difference between "we have MFA" and "our MFA cannot be handed over."

Where this fits with the rest of the cluster

• The identity hardening post: phishing-resistant MFA is the centerpiece of the five-control minimum, and this is the attack it defends against.
• The AI attack speed post: stolen credentials are cheap and fast, which is exactly why the second factor became the battleground.
• The ransomware post: a handed-over MFA approval is one of the most common first steps in the chain that ends in encryption.
• The cyber-insurance checklist: underwriters increasingly ask specifically about phishing-resistant MFA for privileged accounts. "We have MFA" is no longer the whole answer.

The honest summary: MFA is not failing, but the easy versions of it are being routed around through people, not technology. The fix is to deploy the kind of MFA that has nothing a person can give away. For a small business in 2026 that is a short, affordable project, and it closes one of the widest-open doors attackers are walking through right now.

FAQs about MFA fatigue and phishing-resistant MFA

We have MFA turned on. Are we not already protected?

MFA is still essential and you should keep it on, but not all MFA is equal. SMS codes and simple approve/deny push notifications can be defeated without stealing anything: the attacker triggers a login, then either spams approval prompts until the user taps Approve to make them stop (push bombing), or relays a real-time phishing page that captures both the password and the code (adversary-in-the-middle). Phishing-resistant MFA, namely FIDO2 security keys and passkeys, cannot be handed over this way because the credential is cryptographically bound to the real site.

What is MFA fatigue or push bombing?

The attacker already has the user's password (from a breach, infostealer, or phishing) and repeatedly attempts to log in, firing a stream of MFA approval prompts at the user's phone. Late at night or mid-meeting, the user eventually taps Approve to make the notifications stop, or assumes IT is doing maintenance. That single approval hands the attacker the session. Number matching, which forces the user to type a number shown on the login screen into their authenticator, defeats the basic version of this attack.

What is adversary-in-the-middle phishing?

The user clicks a phishing link and lands on a proxy page that looks exactly like the Microsoft 365 sign-in. The proxy forwards everything to the real Microsoft site in real time: the user types their password and approves the MFA prompt, and the attacker's server captures the resulting authenticated session token. Because the token is already past MFA, the attacker reuses it and never needs the second factor again. Phishing-resistant MFA stops this because the security key checks the real domain and refuses to authenticate to the proxy.

What is the single most effective control against this?

Phishing-resistant MFA: FIDO2 security keys (such as YubiKeys) or passkeys, enforced through Microsoft Entra Conditional Access for at least your administrators and high-risk roles. If full rollout is not feasible immediately, the fastest interim wins are turning on number matching, enabling additional context in the Authenticator app, and blocking legacy authentication. Pair those with Conditional Access policies that require a compliant or hybrid-joined device for sensitive applications.

Our help desk resets MFA when employees call. Is that a risk?

Yes, and it is one of the most exploited paths in 2026. Attackers call the help desk posing as an employee who is locked out and ask for an MFA reset or a new device enrollment. If the help desk resets the factor without strong identity verification, the attacker enrolls their own device. Every IT help desk, internal or outsourced, needs a written caller-verification procedure that does not rely on information an attacker can find on LinkedIn. We build this into the runbook for every client we manage.

Do passkeys cost anything and are they hard to roll out for a small business?

Passkeys themselves are free and built into Microsoft Entra, iOS, Android, Windows Hello, and modern browsers, so most employees can enroll one on a device they already own. FIDO2 hardware keys run roughly $25 to $70 each and are worth it for administrators and finance staff. For a typical 15-to-50-person business the rollout is a one-to-two-week project: enable the methods in Entra, enroll users in waves, then tighten Conditional Access to require the phishing-resistant method. We do this routinely for Central Coast businesses.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.