The rise of MFA bombing

Multi-factor authentication is designed to stop unauthorised access, yet, like many threat vectors, attackers are increasingly finding ways to turn it against organisations, by way of MFA bombing. This is a technique now linked to several high-profile UK incidents, and relies less on technical compromise and more on user pressure and it is proving highly effective.

 

How MFA bombing works in practice

MFA bombing attacks typically begin with compromised credentials, often obtained through phishing or purchased from underground marketplaces. Once attackers have a valid username and password, they trigger repeated MFA requests using automated tools.

 

Rather than attempting to stay hidden, attackers rely on persistence, and the constant stream of push notifications is intended to frustrate or confuse the user, increasing the likelihood that they will eventually approve a request simply to stop the interruptions. In some cases, attackers reinforce this pressure by impersonating IT support staff to legitimise the activity.

 

This technique has been widely associated with the Scattered Spider group, which has been flagged by organisations such as CISA for its effective use of social engineering. Crucially, the success of these attacks highlights a limitation of traditional MFA, which often depends on users making the correct decision under pressure.

 

When cyber-attacks target people instead of systems

Modern cyber-attacks rarely rely on brute force attacks alone and threat actors are increasingly focused on exploiting human behaviour, knowing that users are often the weakest link in otherwise well-protected environments.

 

MFA bombing is a clear example of this shift and recent attacks against UK organisations such as Marks & Spencer and Jaguar Land Rover illustrate how disruptive these tactics can be. In both cases, attackers were able to gain a foothold by overwhelming users with authentication requests rather than exploiting software vulnerabilities. The resulting impact extended beyond IT teams, causing operational disruption across multiple parts of the business.

 

These incidents reinforce an important lesson in that authentication controls must be designed for real-world use, not ideal user behaviour.

 

MFA remains an essential security control, and yet the UK Cyber Security Breaches Survey 2025 found that fewer than half of businesses have deployed two-factor authentication at all. Many organisations that have implemented MFA as a baseline requirement, have done so without considering how attackers might exploit it. As a result, organisations may believe they are protected while attackers are actively working around those defences.

 

Reducing risk through smarter authentication

Addressing MFA bombing requires a combination of user awareness and improved authentication design. Users should be trained to recognise unexpected login prompts and encouraged to report them rather than approve them. However, organisations should not rely solely on training to solve what is fundamentally a technical challenge.

 

Adaptive MFA provides a more resilient approach by introducing contextual intelligence into authentication decisions. Instead of treating every login the same, adaptive MFA assesses factors such as device type, location, browser, operating system and typical user behaviour. If a login attempt deviates from established patterns, additional verification can be required or access can be blocked automatically.

 

By reducing unnecessary prompts and increasing scrutiny only when risk is detected, adaptive MFA helps limit the effectiveness of MFA bombing attacks.

 

Moving towards phishing-resistant MFA

To further strengthen authentication, organisations should consider phishing-resistant MFA methods. Technologies such as FIDO2 passkeys and certificate-based authentication use cryptographic keys rather than shared secrets, preventing credentials from being intercepted or reused.

 

With FIDO2, authentication is cryptographically bound to the legitimate domain, meaning credentials cannot be replayed on fake websites. Even if a user is tricked into attempting to authenticate on a phishing page, the process fails automatically and because private keys never leave the user’s device, attackers cannot steal usable credentials.

 

This approach removes many of the assumptions attackers rely on when launching MFA bombing campaigns.

 

Why MFA strategies need to evolve

Recent incidents demonstrate that MFA bombing is no longer a theoretical risk but a proven technique being used successfully against large organisations with mature security programmes.

 

To respond, businesses should invest in and build on MFA deployments to further strengthen their security and resilience. Adaptive controls, phishing-resistant authentication and realistic user-centric design are now essential components of a modern access strategy.

 

In doing so, organisations can reduce disruption, limit attacker success and maintain secure access in an increasingly social-engineering-driven threat landscape.

 

---

 

Michael Downs is VP at SecurEnvoy

 

Main image courtesy of iStockPhoto.com and tsingha25