close up shot of keyboard buttons

MFA is essential, but attackers are abusing it. Learn how to detect, prevent, and defend against MFA fatigue attacks.

Multi-Factor Authentication (MFA) has become a cornerstone of modern identity security. But as defenders have evolved, so have attackers. In 2025, one of the most persistent and effective identity-based threats is MFA fatigue—a tactic that turns a security feature into a social engineering weapon.

Let’s break down what MFA fatigue is, how it works, and most importantly, how to stop it.

What Is MFA Fatigue?

MFA fatigue is a form of social engineering where attackers exploit the human element of authentication. After obtaining a user’s credentials—often through phishing or data breaches—they initiate a flood of MFA push notifications to the victim’s device.

The goal? Wear the user down. Confuse them. Annoy them. Eventually, many users will tap “Approve” just to make the notifications stop.

This tactic is especially effective in high-pressure environments or during off-hours when users are distracted or tired.

How Attackers Exploit It

Attackers don’t need to be sophisticated to launch an MFA fatigue campaign. Here’s how it typically unfolds:

Credential Compromise

  • Phishing emails, credential stuffing, or dark web leaks provide the attacker with valid usernames and passwords.

Automated Login Attempts

  • Using scripts or bots, attackers repeatedly attempt to log in, triggering MFA prompts.

User Fatigue

  • The victim receives dozens of push notifications. Eventually, they approve one—either by mistake or out of frustration.

This method bypasses traditional brute-force defenses because the credentials are valid. The weakness lies in the human response to persistent prompts.

🔒 How to Defend Against MFA Fatigue

Stopping MFA fatigue requires a layered defense strategy that combines technology, policy, and user awareness.

✅ Rate Limit MFA Prompts

Limit how often users can receive MFA requests in a given time window. This reduces the effectiveness of spamming tactics.

A self-service redirect can be implemented. This would cut down logging and alerts, and allow the user to resolve the issue.

✅ Enforce Conditional Access

Use Microsoft Entra ID (formerly Azure AD) to enforce policies based on:

  • Geolocation (block logins from unexpected countries)
  • Device compliance (only allow managed devices)
  • Sign-in risk (block or challenge high-risk logins)

✅ Use Phishing-Resistant MFA

Push notifications alone are no longer enough. Upgrade to:

  • FIDO2 security keys
  • Microsoft Authenticator with number matching
  • Biometric authentication

These methods require user interaction that can’t be easily spoofed or spammed.

✅ Educate Teams

Train users to recognize MFA fatigue attacks. Encourage them to report unexpected prompts and never approve a login they didn’t initiate.

Technical Countermeasures

In Microsoft Entra (Azure AD)

  • Sign-in Frequency Policies: Limit how often users must re-authenticate.
  • MFA Registration Policies: Ensure users register secure MFA methods.
  • Authentication Strength Policies: Require phishing-resistant MFA for sensitive apps.

In SentinelOne (or other EDR/XDR platforms)

Monitoring is a critical part of the zero-trust architecture. Extended Detection and Response (XDR) platforms like CrowdStrike Falcon, SentinelOne, or MS Defender XDR are tools for detecing and responding to these threats.

So, what do you monitor in respect to MFA?

Attackers often use automated tools or custom scripts that generate non-standard or outdated user-agent strings during login attempts. These behaviors will stick out from typical browser or mobile app traffic.

Monitor for:

  • Unusual user-agent strings
  • Login attempts from new IPs or devices
  • Repeated failed MFA attempts
  • Automate and monitor the automation

Use automation to trigger alerts or isolate accounts when suspicious patterns emerge.

Here is an example using MS Sentinel analytic rules to detect behaviors of MFA fatigue:

{
    "name": "Detect MFA Fatigue Attacks",
    "description": "Detects multiple MFA failures (ResultType 500121) followed by a successful login (ResultType 0) within a 5-minute window.",
    "severity": "Medium",
    "kind": "Scheduled",
    "queryFrequency": "PT5M",
    "queryPeriod": "PT5M",
    "triggerOperator": "gt",
    "triggerThreshold": 0,
    "tactics": [
        "Persistence",
        "Privilege Escalation"
    ],
    "techniques": [
        "T1078",
        "T1110"
    ],
    "query": "\nSigninLogs\n| where ResultType == 500121  // MFA denied\n| summarize FailedAttempts = count() by UserPrincipalName, bin(TimeGenerated, 5m)\n| join kind=inner (\n    SigninLogs\n    | where ResultType == 0  // Success\n    | project UserPrincipalName, SuccessTime = TimeGenerated\n) on UserPrincipalName\n| where SuccessTime between (TimeGenerated .. TimeGenerated + 5m)\n",
    "entityMappings": [
        {
            "entityType": "Account",
            "fieldMappings": [
                {
                    "identifier": "FullName",
                    "columnName": "UserPrincipalName"
                }
            ]
        }
    ],
    "suppressionDuration": "PT5M",
    "suppressionEnabled": false,
    "enabled": true,
    "templateVersion": "1.0.0",
    "displayName": "Detect MFA Fatigue Attacks"

The ResultType 500121 is pointed to “Authentication failed during strong authentication request”. The above JSON can be imported into a MS Sentinel workspace to detect multiple MFA failures and track successful logins (ResultType == 0). We also describe Mitre ATT&CK techniques and tactics being addressed. Here, we are linking to the threat tactics persistence and privileged escalation and techniques brute force (T1110) and valid accounts (T1078).

📁 GitHub Resource

We’ve published a detection script to help identify patterns in your environment. 🔗 Explore the GitHub repo here 

Note: this tool is still being built out.

❓FAQs

Q: Is push-based MFA still safe? A: It’s safer than no MFA, but push notifications alone are vulnerable to fatigue attacks. Always pair with conditional access and user training.

Q: What’s the best MFA method in 2025? A: Number matching and hardware tokens like YubiKey offer the strongest protection. They require deliberate user action and are resistant to phishing and fatigue attacks.

Q: How can we detect if users are falling victim to MFA fatigue? A: Look for patterns such as rapid-fire login approvals, multiple failed logins followed by a successful one, or user approvals from unusual locations or devices.

Q: What should a company do after an MFA fatigue attack is detected? A: Immediately reset compromised credentials, investigate session logs, alert the affected user, and review conditional access policies to prevent recurrence.

Final Thoughts

MFA fatigue attacks are a reminder that security isn’t just about technology, it’s about people. By combining self-service, adaptive policies, and user education, organizations can stay on pace with attackers this year and beyond.

📣 Take Action with PWNSentinel

If you’re looking for expert help with endpoint and identity security, PWNSentinel offers full-service management of both SentinelOne and Microsoft Defender. Whether you’re already using SentinelOne or need a secure, remote deployment and oversight solution, our team is ready to harden your environment and monitor for advanced threats.

Start Here