Multi-Factor Authentication (MFA) is meant to protect your business, but attackers have started using it against you. MFA fatigue is when hackers flood your phone or device with login prompts, hoping you’ll hit “approve” just to get some peace. It works because people are busy, distracted, and used to clicking “yes” without thinking. This tactic is spreading fast, and SMEs are an easy target.
What MFA fatigue actually is
MFA fatigue kicks in when someone has already stolen a password. Instead of guessing more, they just keep trying to log in. Each attempt triggers an approval message on the victim’s phone. If they get fed up and accept one by mistake, the attacker gets in. That’s it.
It’s not about breaking your systems. It’s about relying on the fact that humans make snap decisions, especially when under pressure.
Why it works so well
These attacks rely on habits and timing. If someone gets five or ten prompts during a meeting or while commuting, they might hit accept without thinking. That’s the psychology behind it—overload, repetition, and the assumption that MFA is always safe. Many staff don’t know that one wrong tap can open the door to everything: emails, files, client records, even finance systems.
Real incidents you should know about
This isn’t just theory. In 2022, Uber was breached when an employee approved a login after being bombarded with pop-ups. The hacker got access to internal systems and sent messages through the company’s internal chat.
Microsoft faced the same issue the same year. The LAPSUS$ group used MFA fatigue to access employee accounts. They didn’t need to steal anything complicated. They just needed someone to get tired and say yes.
Sources like Microsoft, Keepnet Labs, and NinjaOne all back this up. It’s a known tactic that keeps working.
Does this only happen to Microsoft users?
No. Google Workspace, Okta, Duo and most major platforms that use push notifications are exposed to this method. But if you use Microsoft properly, you’ve got more ways to prepare to face it. Most SMEs don’t change the defaults, and that’s the risk.
In our experience, businesses using Microsoft can cut the risk with features like number matching, conditional access, and stronger login settings. You just need someone to set it up properly and explain what staff should do if they get suspicious prompts.
What your team should do
Tell your staff to stop, think, and speak up. If they get login prompts they didn’t expect, they shouldn’t approve them. It’s not about trusting the system—it’s about trusting their instinct. If something seems wrong, they should flag it. That hesitation could stop an attack.
As a business owner or manager, review how your MFA is set up. Talk to your IT provider about safer options. Don’t leave your team guessing.
MFA Prompt Safety Checklist
You can send this to staff or pin it up in shared spaces.
✅ Ask yourself first:
Did I just try to log in?
Is the location correct?
Does the time make sense?
🚫 If not sure:
Don’t approve
Take a screenshot
Contact your IT support (Clearsky clients: ring us straight away)
MFA fatigue is about timing, repetition, and human error—not broken tech. Microsoft tools can help to lower the chances of your business becoming prey to it, but only if you’re using them the right way. If you want to check how your setup is performing, we can help.
Further reading: Multifactor authentication
