A push notification can feel reassuring. It suggests that a second layer of protection is doing its job.
That confidence is exactly what MFA fatigue attacks try to exploit.
In Microsoft 365, this attack pattern is simple and effective: an attacker gets a valid username and password, then floods the user with repeated Microsoft Authenticator prompts until that person approves one by mistake, out of frustration, or after being pressured by a fake “IT support” call. The security control is still there, but the human response becomes the weak point.
For organizations that depend on Microsoft 365 for email, collaboration, file sharing, and remote access, this is not a niche problem. It is a practical risk with a practical fix. Number matching, strong Conditional Access policies, and safer authentication methods can turn MFA from a one-tap annoyance into a much stronger barrier.
MFA fatigue attacks in Microsoft 365
MFA fatigue, often called push bombing, works by overwhelming the user rather than breaking the technology. Once an attacker has stolen credentials through phishing, password reuse, or malware, they repeatedly attempt to sign in. Each attempt triggers a legitimate MFA prompt on the user’s device.
At that point, the attacker is counting on human behavior. A user may think the repeated prompts are a glitch. They may be distracted. They may be asleep. They may receive a convincing phone call from someone pretending to be internal IT. One accidental approval is enough to hand over access to Microsoft 365.
The risk goes well beyond email. A successful sign-in can expose SharePoint data, Teams conversations, OneDrive files, business applications tied to Entra ID, and administrative functions if the account has elevated rights.
A few warning signs tend to show up early:
- Repeated unexpected Authenticator prompts
- Sign-in requests outside business hours
- Login attempts from unfamiliar locations
- Users reporting “my phone keeps asking me to approve something”
Number matching in Microsoft Authenticator
Number matching is one of the most effective defenses against blind MFA approvals. Instead of showing a simple approve or deny prompt, Microsoft Authenticator requires the user to enter the number displayed on the sign-in screen.
That sounds minor. It is not.
With one-tap approvals, an attacker only needs the user to press “Approve” once. With number matching, the user must see the actual sign-in screen, read the code, and enter it in the app. Random push spam becomes much less useful because there is no meaningful action to take without the matching number.
Microsoft moved to enforce number matching for Authenticator push approvals because the older experience made fatigue attacks far too easy. Even so, organizations should still verify their authentication setup, user enrollment state, and older fallback methods. A modern default is helpful, but it does not replace policy review.
Why number matching blocks blind approvals
A push prompt without context invites reflexive behavior. A push prompt with a number requires intent.
That change matters because fatigue attacks depend on speed, distraction, and repetition. Number matching forces a pause. It asks the user to verify that a real sign-in is happening on a real screen in front of them. That single design change removes much of the attacker’s advantage.
There is a usability tradeoff, of course. Users need a current Authenticator app and a few moments of attention during sign-in. For most businesses, that small amount of friction is well worth the reduction in account compromise risk.
Conditional Access policies for MFA fatigue prevention
Conditional Access reduces when the prompt should appear at all.
A well-designed Conditional Access strategy narrows the conditions under which Microsoft 365 can be accessed. It can require managed devices, block legacy authentication, restrict risky sign-ins, and apply stricter controls to administrators and other sensitive roles. This is where Microsoft 365 security moves from “everyone gets prompted” to “only trusted access is allowed.”
That shift is powerful because many MFA fatigue campaigns start from suspicious contexts: unfamiliar geographies, unmanaged endpoints, anonymous IP services, impossible travel patterns, or accounts already showing risk indicators. Conditional Access lets you act on those signals before an approval request becomes the user’s problem.
The controls below offer strong value for most organizations:
| Control | What it does | Why it helps against push bombing |
|---|---|---|
| Require compliant devices | Allows access only from managed, policy-compliant endpoints | Stops attackers signing in from random personal or hostile devices |
| Block legacy authentication | Prevents old protocols that bypass modern controls | Reduces password spray paths and weaker login flows |
| Restrict by location | Blocks or challenges sign-ins from countries or networks outside normal operations | Cuts off many remote attack attempts before MFA fires |
| Use sign-in risk policies | Applies stronger requirements or blocks access when Microsoft flags risk | Adds an intelligent layer around compromised credentials |
| Protect admin accounts separately | Enforces stricter authentication for privileged users | Limits the blast radius if an attacker targets high-value accounts |
High-value Conditional Access settings for Microsoft 365
Many environments improve quickly when a few high-impact policies are applied consistently. The goal is not complexity. The goal is controlled access with fewer exceptions.
Useful priorities include:
- Require compliant or hybrid-joined devices: Limits access to endpoints the business can trust and monitor.
- Block legacy authentication: Removes older sign-in methods that do not honor modern MFA controls.
- Apply location-based restrictions: Reduces exposure from regions where no legitimate business activity occurs.
- Use sign-in risk and user risk policies: Responds automatically to suspicious activity identified by Microsoft.
- Separate privileged access rules: Gives admins stronger protections than standard users.
Safer MFA options beyond basic push approvals
Number matching is a strong step, but not every MFA method offers the same resistance to social engineering. If a business wants to reduce risk even more, it should review which methods are allowed and who is using them.
Some methods are simply harder to manipulate. Time-based one-time passcodes, FIDO2 security keys, passkeys, and device-bound authentication methods offer stronger protection than basic push approval, SMS codes, or voice calls.
Here is a practical comparison for Microsoft 365 environments:
| MFA method | Push-bombing resistance | Notes |
|---|---|---|
| Authenticator push with number matching | Good | Much better than approve/deny, but still depends on user judgment |
| TOTP code from authenticator app | Better | No push spam to approve, user must enter the live code |
| SMS or voice call | Weak | Still vulnerable to social engineering and telecom-related risks |
| FIDO2 security keys or passkeys | Strongest | Phishing-resistant and highly resistant to prompt abuse |
| Windows Hello for Business | Strong | Device-bound and excellent for managed Windows environments |
For many small and mid-sized businesses, a smart path is to keep number matching for the broad user base while moving administrators, finance staff, executives, and other high-risk users to phishing-resistant methods first.
That creates a layered model instead of a one-size-fits-all policy.
User training for MFA fatigue prevention
Technology blocks a lot, but people still make the final decision on many sign-in attempts. Training matters most when it is specific, repeatable, and tied to realistic scenarios.
Users should know exactly what to do when they receive an unexpected MFA prompt: deny it, report it, and avoid interacting with anyone asking them to “just approve this one request.” Clear, direct guidance works better than generic awareness messaging.
A useful employee message usually includes these points:
- Deny unexpected prompts: If you did not start the sign-in, reject it immediately.
- Report repeated notifications: Multiple prompts are a sign of possible account abuse, not a harmless glitch.
- Ignore urgent social pressure: Real IT staff should not ask users to approve mystery MFA requests.
- Pause and verify: Number matching only works well when users check the sign-in context first.
One sentence worth repeating across the organization is this: an MFA prompt is not proof that the request is legitimate.
Monitoring Microsoft 365 for push bombing activity
Security teams should treat MFA fatigue as something that can be seen early, not just investigated after a compromise.
Microsoft 365 and Entra ID logs often reveal the pattern before access is granted. Repeated interrupted sign-ins, sign-in failures after valid credentials, impossible travel alerts, and sudden registration of new authentication methods can all point to an active attack. Good monitoring turns those signals into actionable alerts.
This is also where incident response discipline matters. Once a suspicious approval happens, attackers often move quickly. They may register a new MFA method, establish persistence, access mailboxes, or target privileged roles. Response needs to be immediate.
When suspicious MFA activity appears, the first actions should be direct and decisive:
- Revoke active sessions: Forces reauthentication across Microsoft 365.
- Reset the password: Breaks access tied to stolen credentials.
- Review authentication methods: Look for newly added devices, phone numbers, or unusual changes.
- Check sign-in logs: Confirm source IPs, locations, apps accessed, and risk events.
- Escalate if privilege is involved: Admin or finance accounts deserve rapid containment.
Practical Microsoft 365 hardening steps to take now
Most organizations do not need a dramatic rebuild to improve their defenses. They need a focused review of current settings, allowed methods, and account tiers.
Start by confirming that Microsoft Authenticator is using number matching, that legacy authentication is blocked, and that Conditional Access policies reflect how the business actually works. Then look at who still uses weaker methods like SMS or voice and where phishing-resistant options make the most sense.
A strong rollout often follows this order:
- Verify current MFA methods and remove weak defaults.
- Apply Conditional Access for managed devices, risky sign-ins, and admin roles.
- Train users on unexpected prompts and fake help desk calls.
- Move privileged users to FIDO2, passkeys, or Windows Hello for Business.
- Set alerting for abnormal sign-in and MFA activity.
The goal is straightforward: every Microsoft 365 sign-in should carry context, policy, and accountability. When that happens, attackers lose the easy path that push bombing depends on, and MFA starts doing the job it was meant to do.
