Discover how push-bombing serves as a technique employed by hackers to bypass multi-factor authentication.

MFA is under attack! Learn about push-bombing and how hackers use it to trick you into clicking the wrong thing.


Organisations are facing a significant challenge with the rise of cloud account takeover. Consider the extensive amount of work your company undertakes, involving the usage of usernames and passwords. This necessitates employees logging into numerous systems and cloud applications. Malicious actors employ diverse techniques to acquire these login credentials with the objective of accessing valuable business data under the guise of legitimate users. Furthermore, they exploit this access to orchestrate sophisticated attacks and propagate insider phishing emails.


The severity of account breaches has reached alarming levels. In a span of two years, from 2019 to 2021, the occurrence of account takeover (ATO) incidents witnessed a staggering surge of 307%.

How Does Push-Bombing Work?

When users enable multi-factor authentication (MFA) on their accounts, they typically receive a code or authorisation prompt. After entering their login credentials, the system sends an authorisation request through a “push” message, which can be received via SMS/text, device popup, or app notification. This notification is a familiar part of the MFA login process. However, with push-bombing, hackers exploit this process by repeatedly attempting to log in using stolen credentials, triggering multiple consecutive push notifications for the legitimate user. This bombardment of notifications can lead to confusion and make it easier for users to mistakenly approve access without realising it.

Ways to Combat Push-Bombing at Your Organisation.

Awareness is key. When users encounter a push-bombing attack, it can cause disruption and bewilderment. However, by providing employees with prior knowledge and education, they can be better equipped to protect themselves. It is important to inform employees about push-bombing, its workings, and its implications. Offering training on how to respond if they receive unsolicited MFA notifications is crucial. Additionally, establishing a reporting mechanism empowers your staff to alert the IT security team, enabling them to notify other users and take necessary measures to safeguard everyone’s login credentials.

Employees typically utilise an average of 36 cloud-based services each day, resulting in a substantial number of logins to manage. The more login credentials an individual has, the higher the risk of password theft. It is advisable to assess the number of applications used within your company and explore opportunities for consolidation to minimize app “sprawl.” Platforms like Microsoft 365 a range of tools accessible through a single login, facilitating a streamlined cloud environment that enhances both security and productivity.

Moreover, consider adopting phishing-resistant multi-factor authentication (MFA) solutions to effectively counter push-bombing attacks. These solutions utilise a device passkey or physical security key for authentication, eliminating the need for push notifications for approval. While implementing such a solution may involve greater complexity during setup, it offers significantly enhanced security compared to text or app-based MFA methods.

In order for hackers to send multiple push notifications, they must possess the user’s login credentials. Implementing robust password policies significantly reduces the likelihood of password breaches. Recommended practices for strong password policies encompass the following:

  • Utilising a mix of uppercase and lowercase letters.
  • Incorporating a combination of letters, numbers, and symbols.
  • Avoiding the use of personal information when creating passwords.
  • Securely storing passwords.
  • Refraining from reusing passwords across multiple accounts.

By adhering to these standard practices, organisations can enhance the security of their passwords and decrease the risk of unauthorised access.

Do You Need Help Improving Your Identity & Access Security?

Relying solely on multi-factor authentication is insufficient. Organisations require multiple layers of protection to mitigate the risk of a cloud breach. If you are seeking assistance in strengthening your access security, we are here to help. Contact us today to schedule a conversation and explore the measures to reinforce your security framework.

Orbitel Technologies

If you’d like to find out more about our managed service offerings. Get in touch, talk to a specialist today!


614a Marion Road, Park Holme 5043