Uber, MGM, Caesars
three high-profile breaches where MFA fatigue was the documented initial access vector — all used push-based MFA without number matching
11 seconds
average time between a stolen credential being used and the first MFA push notification sent to the victim in documented fatigue attacks
30%
of users approve an unexpected MFA push within 60 seconds when the attacker adds a fake IT support call alongside the push flood
0
documented successful MFA fatigue attacks against FIDO2 hardware keys — the attack is physically impossible against device-bound credentials

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Push-based MFA was a meaningful security upgrade over password-only authentication. It is no longer sufficient against targeted attackers. The Scattered Spider group — responsible for breaches at Uber, MGM Resorts, Caesars Entertainment, and the 2026 UK retail attacks against Marks & Spencer, Co-op, and Harrods — documented MFA push bombing as a core technique: flood the victim's phone with authentication requests, call them pretending to be IT support, tell them to approve the notification to stop the alerts.

The vulnerability is architectural. Push notifications without number matching give users no information about the login attempt they are approving. Approving the push is binary — the user has no way to distinguish a legitimate login from an attacker's login. This guide covers the specific configuration changes that close the fatigue attack vector and the migration path to phishing-resistant MFA for organizations that need to go further.

How the attack works

Understanding the attack sequence helps prioritize which controls to deploy first.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Fix 1: Enable number matching (highest-impact, lowest-effort change)

Number matching is the single configuration change that has the highest impact on MFA fatigue attacks. It is available in all major MFA platforms and requires no additional licensing.

With number matching enabled, when an authentication request is submitted, the MFA application displays a 2-digit number to the requester (on the login screen). The push notification received on the victim's device requires them to enter that specific number — not just tap approve. An attacker conducting a push flood cannot provide the correct number because they cannot see what is displayed on the victim's login screen. The attack fails regardless of how many push requests are sent.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Fix 2: Add rate limiting and anomaly detection for MFA requests

Number matching stops fatigue attacks where the user is the weak link. Rate limiting stops the flood itself from being a viable attack mechanism.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Fix 3: Migration path to phishing-resistant MFA

Number matching significantly hardens push-based MFA against fatigue attacks. It does not protect against adversary-in-the-middle (AiTM) phishing attacks that capture both credentials and MFA session tokens in real time. The complete solution for the highest-risk accounts is phishing-resistant MFA: FIDO2 hardware keys or passkeys.

Phishing-resistant MFA is not susceptible to fatigue attacks, AiTM attacks, or social engineering because authentication is cryptographically bound to the specific origin domain — a credential issued for your-company.com cannot authenticate against an attacker's fake-your-company.com, regardless of how convincing the phishing page is.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

The configuration path that stops MFA fatigue attacks is clearly defined: enable number matching in your MFA platform immediately (this stops the specific push flood technique), configure rate limiting on authentication attempts, and build a detection rule for push flood patterns. For privileged accounts, deploy FIDO2 hardware keys as the complete solution. These changes require no new tooling purchase and no extended project timeline — number matching is a configuration toggle that can be enabled today.

Frequently asked questions

Does number matching stop all MFA bypass attacks?

Number matching stops MFA fatigue/prompt bombing attacks specifically. It does not stop adversary-in-the-middle (AiTM) attacks that use real-time phishing proxies to capture both credentials and session cookies. For complete MFA protection against AiTM attacks, deploy FIDO2/passkeys which are origin-bound and cannot be proxied.

What is the difference between MFA fatigue and SIM swapping?

MFA fatigue exploits push-based MFA by flooding the user with approval requests. SIM swapping attacks the SMS MFA channel by porting the victim's phone number to an attacker-controlled SIM, allowing them to receive SMS codes. Both are MFA bypass techniques. SMS-based MFA is vulnerable to SIM swapping; push-based MFA without number matching is vulnerable to fatigue attacks. FIDO2 hardware keys are resistant to both.

How did Scattered Spider bypass MFA at Caesars and MGM?

Public incident reporting indicates Scattered Spider combined credential theft (via phishing or social engineering of employees) with MFA fatigue attacks (push flooding) reinforced by helpdesk social engineering. At MGM, the group reportedly called the IT help desk impersonating an employee and convinced the agent to reset MFA, gaining initial access without needing to bypass MFA at all. Both vectors — MFA fatigue and helpdesk social engineering — require separate controls.

Sources & references

  1. CISA/FBI Scattered Spider Advisory
  2. Akira Ransomware MFA Fatigue Playbook - Security Boulevard
  3. CISA Phishing-Resistant MFA Fact Sheet

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.