Are Multi-factor Authentication Fatigue Attacks The New Insider Threat?

At 2:17 a.m., the phone buzzes again, and the pop-up looks routine: approve a sign-in. Across corporate networks, that “routine” moment is being weaponized, with attackers spamming multi-factor authentication prompts until someone finally taps yes. Security teams have a name for it, MFA fatigue, and it is reshaping incident response because it exploits human reflexes, not broken cryptography, and it can open doors that look, uncomfortably, like an insider’s access.

Why tired thumbs are now an attack surface

How many prompts does it take to break attention? Microsoft has warned that “MFA fatigue” and “push bombing” have become common social-engineering techniques, and the company’s security research has described campaigns where users are hit with repeated approvals, then contacted by an attacker posing as IT to “help stop the notifications.” The mechanics are simple, and that simplicity is the point: instead of stealing a one-time code, the adversary turns the second factor into a nagging, noisy interruption until a user makes the mistake that ends the annoyance.

The underlying scale is not theoretical. Microsoft’s 2023 Digital Defense Report estimated cybercrime revenues at $8 trillion per year, a figure the company has used to illustrate the industrialization of fraud, and while that number is not specific to MFA abuse, it frames why low-cost, high-success tactics spread fast. On the authentication front, Okta reported in 2023 that social engineering and credential-based attacks continued to dominate real-world intrusions, and that attackers increasingly target the human layer surrounding identity systems, including help desks and end users. That is where MFA fatigue fits: it is less a new class of exploit than a pressure tactic that turns “secure by design” into “approve by habit.”

What makes the method effective is the collision between security hygiene and real work. Employees are trained to expect MFA prompts, and many organizations generate legitimate prompts through routine logins, conditional access checks, VPN reconnections, and mobile app refreshes. In that background noise, a malicious burst can masquerade as yet another normal interruption, especially when it hits during travel, after-hours on-call duties, or moments of distraction. The result is an approval that looks, in logs, indistinguishable from a user who simply signed in.

That resemblance is why the question keeps coming back in boardrooms: is MFA fatigue the new insider threat, or just an external attacker wearing a user’s skin? The line matters, because “insider” suggests intent, grievance, and privileged knowledge, while fatigue attacks depend on coercion, confusion, and timing, and yet the operational outcome can be the same: valid access, granted by a real employee account, followed by lateral movement that security tools may initially treat as legitimate behavior.

When “legitimate access” stops being legitimate

Here is the uncomfortable part: many defenses are built to detect the unusual, and MFA fatigue produces activity that can look entirely usual. Once the user approves, the adversary often lands inside a cloud identity session, then pivots into email, file storage, customer data, or admin consoles, and because the authentication step was “successful,” downstream systems may reduce scrutiny. In cloud-first environments, identity is the perimeter, and a green checkmark at the perimeter can neutralize multiple layers of security that assume the login was genuine.

That dynamic is not hypothetical. The 2022 Uber breach, publicly discussed by the company and widely analyzed by incident responders, involved an attacker who reportedly bombarded a contractor with MFA requests and then used social engineering to secure approval. After entry, the attacker accessed internal tools and posted in corporate channels, illustrating how quickly a single compromised identity can cascade. Separately, Microsoft has disclosed incidents where attackers used MFA fatigue in combination with impersonation to obtain access, then exploited that foothold for broader compromise.

Does that make it an “insider threat”? Traditional insider frameworks, including those used in risk management and compliance, separate malicious insiders from compromised insiders. MFA fatigue usually creates a compromised insider, but from the standpoint of a security operations center, both can trigger similar alerts: a trusted account accessing unusual resources, logging in from atypical locations, and requesting elevated permissions. The ambiguity complicates triage, and it can delay decisive action if teams hesitate to lock accounts that appear tied to real employees, especially executives.

There is another wrinkle: modern attackers do not stop at one login. They aim to persist, and persistence in identity-centric environments often means collecting refresh tokens, registering new devices, creating OAuth grants, or abusing single sign-on relationships. In practice, that means a single approved prompt can become a long-lived session, and that session can be converted into durable access that survives password resets. At that stage, the event begins to resemble the stealth and longevity often associated with insider abuse, even if the original entry was just a tired thumb on a screen.

SSO, tokens, and the quiet paths attackers love

What if the prompt is only the beginning? In many enterprises, the real crown jewels are not behind a single app login, they sit behind federated identity, shared directories, and SSO links that let one approved session unlock dozens of services. That is why attackers prize identity providers, because one successful authentication can translate into access across productivity suites, HR systems, developer platforms, and customer databases, with each step looking like normal SSO traffic.

Security teams increasingly focus on token lifecycle and session controls, because tokens, not passwords, are what power modern sign-ins. A user can change a password, but if an attacker has a valid session token, they may remain authenticated until the token expires or is revoked. This is where organizations are revisiting how they architect sign-on to sensitive resources, how they segment access, and how they audit the relationships between applications, directories, and databases. For teams mapping that landscape, details on database and SSO architectures can be useful in understanding where trust boundaries sit and where they silently disappear; read more here.

It is also why many responders now treat “successful MFA” as a starting point, not an all-clear. They look for signs of session hijacking, unusual device registrations, impossible travel, anomalous API calls, and unexpected OAuth consent grants, which can be a quiet way to embed persistence without triggering classic malware alerts. Google’s security research, including public write-ups from its threat intelligence teams, has repeatedly emphasized that identity compromise and token abuse are central to modern cloud intrusions, and that defenders must monitor beyond the moment of login.

In practical terms, organizations that rely heavily on push-based MFA without additional safeguards have a structural weakness: they have optimized for convenience at the exact moment attackers want to apply pressure. The remedy is rarely to abandon MFA, because MFA still blocks huge volumes of credential-stuffing, but rather to harden the approval step, reduce the number of legitimate prompts users see, and add friction only where risk is high, such as new devices, new geographies, and privileged actions.

How companies can blunt MFA fatigue fast

Can this be fixed without breaking work? Yes, but it requires changing both technology and habits, and doing it with urgency. The first move is to reduce or eliminate “approve/deny” push prompts that ask nothing of the user beyond a tap, because that is precisely what attackers exploit. Number matching, contextual prompts that show location and device, and phishing-resistant MFA such as FIDO2 security keys can significantly cut the success rate of fatigue attacks; Microsoft, Google, and other major providers have pushed these approaches as the industry shifts toward stronger, user-verifiable authentication.

Next comes policy: organizations should tune conditional access so that repeated failed prompts, unusual sign-in velocity, or anomalous locations trigger automatic blocks, step-up authentication, or temporary account suspension. Rate limiting matters, because MFA fatigue is a volume tactic; if an attacker can only generate a small number of prompts before the account is locked and the SOC is alerted, the leverage collapses. Equally important, security teams should ensure help desks cannot be socially engineered into “fixing” the problem by resetting MFA methods without robust verification, because many fatigue attacks end with a call, a chat message, or a spoofed ticket.

Training must also evolve. Telling employees “never approve unexpected prompts” is necessary, but not sufficient, because the pressure comes when a user is tired and wants the noise to stop. Better guidance is procedural: if you receive repeated prompts, do not interact with them, switch the phone to airplane mode if needed, and report immediately using a known internal channel, not a link or number provided in a message. Organizations that operationalize this, with clear reporting paths and rapid account lockdown, reduce the window attackers need.

Finally, measure it. Count MFA prompts per user, per application, and per time window, then cut the legitimate ones by fixing noisy apps, unstable VPNs, and misconfigured SSO loops. The fewer “normal” prompts employees see, the more suspicious an abnormal burst becomes, and the less likely the reflex approval. In identity security, usability is not a nice-to-have, it is a control, because confusion and friction are what adversaries monetize.

What to do this week, not “later”

Budget for phishing-resistant MFA on privileged accounts first, and schedule a short rollout plan for the wider workforce, then test help-desk reset procedures with realistic social-engineering scenarios. If you are planning a broader identity upgrade, reserve time with IT and security to map SSO dependencies, and check whether any national or sectoral cybersecurity programs can subsidize training or tooling.