MFA Fatigue Warning: What Your Business Needs to Know
Cybersecurity used to feel like a technical problem; firewalls, passwords, antivirus software. Something to leave to the IT Guy. The reality is that it has and continues to be a people problem. MFA Fatigue is a real problem for small business, but the good news is it has real solutions.
Microsoft and security agencies are warning about a growing wave of phishing campaigns that exploit something called “MFA fatigue”, and your small business is right in the firing line. These attacks don’t rely on advanced hacking skills. Instead, they take advantage of busy employees, everyday habits, and the way we interact with security tools.
If your business is using cloud services, and lets be real, what small business isn’t?, then this is something worth understanding. Here’s what’s happening, why it matters, and what you should do about it.
The shift: when security tools become the attack vector
Mutli Factor Authentication has always been the first and easiest security layer to implement. It’s a non negotiable layer that ensures when users need to authenticate themselves to a service, they have to provide a code or answer a notification on their phone. It’s mean to ensure attackers cannot just steal their password and login.
But attackers have adapted.
Instead of trying to break MFA, they’re now turning it into a weapon. Microsoft notes that traditional MFA methods like push notifications and one-time codes are increasingly being targeted by modern phishing campaigns.
Put simply, the system itself still works—but attackers are going after the humans using it.
What “MFA fatigue” actually means
MFA fatigue (also called push bombing) is surprisingly simple.
An attacker logs into an account using stolen credentials, then triggers repeated MFA requests—sometimes dozens or even hundreds. The target’s phone keeps buzzing with “Approve sign-in?” notifications.
In September 2022, attackers breached Uber by first obtaining a contractor’s credentials from the dark web, then bypassing MFA by bombarding the contractor with a flood of push notification approval requests. They compounded the pressure by contacting the victim on WhatsApp, posing as Uber IT staff and instructing them to approve the requests to make them stop. The contractor eventually gave in, granting the attackers access to Uber’s internal systems — a stark illustration of how human psychology can be the weakest link in even a well-designed security setup.
Increasingly members of your staff are being attacked like this, and all it takes is one frustrated staff member to ruin your day, cause massive losses in your business and potentially bring a lot of public scruitiny onto your business. It’s hard enough running a business in 2026 without this kind of thing.
Why phishing is still at the centre of it all
MFA fatigue attacks don’t start with MFA—they usually start with phishing.
Attackers first trick someone into giving up their username and password (for example, via an email that looks like a document share or invoice). For businesses without strong password policies and the IT Management to enforce them, often users will re-use passwords and all the attacker has to do is find them in a data breach.
Once they have those credentials, MFA is the only barrier left—so they use fatigue tactics to get around it.
This means businesses still need to treat phishing emails as the entry point for much larger attacks.
A worrying evolution: real Microsoft pages, real logins
What makes newer campaigns especially dangerous is how convincing they are.
Some attacks now use legitimate Microsoft login pages—not fake ones. For example, attackers can trick users into entering a code on a real Microsoft site, which then gives the attacker access behind the scenes.
From the user’s perspective, everything looks normal:
- The website is real
- The login process is real
- MFA is completed successfully
But in the background, attackers capture authentication tokens that let them access the account without needing to log in again.
This blurs the line between legitimate and malicious activity, making these attacks much harder to detect.
Cybercrime is becoming “plug-and-play”
Another key development is the rise of phishing-as-a-service platforms.
Tools like the Kali365 platform (identified this year) allow even low-skilled criminals to launch sophisticated campaigns using:
- Pre-built phishing templates
- Automated tools
- AI-generated email lures
- Real-time dashboards to track victims
These platforms effectively “industrialise” cybercrime. Attackers no longer need deep technical knowledge—they can rent the tools and scale quickly.
Why small businesses are especially exposed
You might assume these attacks are aimed at large corporations. That’s no longer the case.
Smaller organisations are increasingly targeted because:
- They often rely heavily on a variety of cloud services for daily operations
- They often have not engaged professional IT Management
- Staff are juggling multiple tasks and systems, making mistakes more likely
Research also shows MFA fatigue attacks exploit normal workplace behaviour, like frequent login prompts and busy workflows.
In other words, small businesses offer a high reward, lower resistance target for attackers.
The impact goes far beyond email
If an attacker gets access to a Microsoft 365 account, it’s not just email that’s at risk.
They may gain access to:
- Business emails and client communications
- Files stored in cloud services
- Teams chats and meetings
- Connected systems using single sign-on
Once inside, attackers can:
- Steal sensitive business or customer data
- Send phishing emails from your legitimate account
- Set up rules to hide their activity
Security agencies warn that this can quickly escalate into financial fraud or widespread data exposure.
What we recommend every small business does right now
The key takeaway from this is simple;
Traditional MFA alone is no longer enough.
Your business needs to be moving towards “phishing-resistant” authentication, such as:
- Passkeys or hardware security keys
- Advanced identity verification methods
- Access control solutions
- Rate limiting MFA requests
- Where necessary, switch to cloud services that offer more advanced security features.
These approaches are designed to make it far harder for attackers to trick users into approving access.
There are also practical steps organisations can take right now:
- Enable number matching instead of simple “Approve/Deny” prompts
- Use conditional access policies to restrict risky login attempts
- Reduce excessive or unnecessary MFA prompts
- Train staff to treat unexpected login requests as a warning sign
The bottom line for small business owners
MFA fatigue attacks highlight a broader reality:
Cybersecurity is no longer just about technology—it’s about how people interact with that technology.
For small businesses, the risk isn’t just being hacked—it’s being tricked.
The solution isn’t to abandon MFA, but to:
- Strengthen how it’s implemented
- Reduce reliance on simple “one-tap approvals”
- Invest in staff awareness and better authentication methods
Because in this new wave of attacks, the difference between staying secure and being compromised could come down to a single tap on a phone. It shows why now more than ever, having the best IT Management provider is so important.
