Prompt bombing is an attack in which repeated MFA push requests are sent to a user in hopes they will eventually approve one out of fatigue or confusion. It matters because user annoyance and overload can become a practical security weakness.
What is Prompt Bombing?
Also called MFA fatigue, this technique relies on flooding the target with repeated authentication prompts until they accidentally or reluctantly approve one. Attackers may combine it with social engineering, fake help desk calls, or timing pressure to improve success.
What Prompt Bombing Commonly Exploits
Common weaknesses include push-based MFA, poor user training, weak approval context, credential theft that triggers repeated login attempts, and environments lacking number matching or stronger factor controls.
Prompt Bombing vs. Standard Phishing
Standard phishing aims to steal credentials or factors directly. Prompt bombing pressures the victim to approve a real authentication request the attacker initiated.
Frequently Asked Questions
Why does prompt bombing work?
Because fatigue, distraction, and social pressure can lead users to approve prompts they do not understand.
How do teams defend against it?
By using phishing-resistant MFA, adding number matching, limiting repeated prompts, and alerting on suspicious approval patterns.
