Body
MFA Bombing, also known as MFA Fatigue is when a cybercriminal repeatedly sends MFA requests to a victim’s registered device. The goal is to overwhelm the victim with notifications, hoping they will approve one out of frustration or confusion, granting the attacker access to their account.
Typically, attackers obtain stolen credentials through phishing, credential stuffing, or purchasing them on the dark web. Once they have the login details they attempt to sign in to the victim’s account, triggering the MFA push notifications. These notifications can come via email, text message or authentication apps like DUO.
Some attackers will impersonate tech support, they will call the victim and pretending to help resolve an issue while tricking them into approving the login.
What should you do if this happens to you? Don’t approve any DUO requests that you did not initiate. If you get one you don’t expect, call the IT Helpdesk immediately at 603-646-2999, they will help you lock your account and change your password.
Information Security Incident MFA Bomb/MFA Fatigue 05/22/2025
Learn more about MFA Bombing in Litmos