MFA fatigue / prompt-bombing → M365 admin compromise

§ Context

Assumed environment: target uses push-style MFA (Microsoft Authenticator, Duo Push). Attacker has the password. No number-matching enforced.

§ Steps

1. 01
   Attacker session establishedInitial Access

   T1078— Valid Accounts
2. 02
   Victim taps yesExecution

   T1204— User Execution
3. 03
   Register attacker MFA devicePersistence

   T1098— Account Manipulation
4. 04
   Recover password (breach / spray)Credential Access

   W-AUTH-STUFFING— Credential Stuffing
5. 05
   Mailbox / Teams / SharePoint exfilCollection

   M365-EWS-EXFIL— Exchange Web Services (EWS) Exfil
6. 06
   Spam MFA approvalsInitial Access

   PH-MFA-FATIGUE— MFA Fatigue / Prompt Bombing

§ References

• T1078Valid Accounts
• T1204User Execution
• T1098Account Manipulation

§ Frequently asked

What is the "MFA fatigue / prompt-bombing → M365 admin compromise" attack path?

Attacker has the password (from breach / spray) but not MFA. Spam push approvals at 2 AM until the user taps yes out of habit — used in the Uber and 0ktapus breaches. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Attacker session established (T1078) — a initial access primitive. Assumed environment: target uses push-style MFA (Microsoft Authenticator, Duo Push).

What is the final impact of this kill-chain?

The final step lands on Spam MFA approvals (PH-MFA-FATIGUE), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Malicious browser extension → cookie harvest → ATO

  Publish a useful-looking extension (ad-blocker / PDF reader). It quietly reads cookies + localStorage from sensitive sites and ships them to the attacker.

• Shared techniques3

  AITM phishing (Evilginx) → M365 session theft → mailbox exfil

  Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.

• Shared techniques2

  Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)

  Compromise a niche third-party vendor (regional tax software, niche industry tooling). Push a malicious update; every customer auto-installs it. Payload spreads via SMB + Mimikatz, wipes drives.

• Shared techniques2

  Leaked legacy VPN credential → ransomware (Colonial-class)

  A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.

• Shared techniques2

  Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)

  Identify an Okta admin via LinkedIn. Vish the helpdesk pretending to be that admin, get MFA reset. Sign in, plant attacker MFA factor, then push policy changes that disable MFA for chosen apps before mass-deploying ransomware.

• Shared techniques2

  FIDO2 caBLE hybrid → phone authenticator hijack

  Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.