PH-MFA-FATIGUEInitial Access

MFA Fatigue / Prompt Bombing

Spam push notifications until the victim approves one out of frustration / habit — successful Uber / 0ktapus playbook.

§ Where this technique fits

PH-MFA-FATIGUE is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 2.5 on average.

§ Dossiers chaining this technique

MFA fatigue / prompt-bombing → M365 admin compromise
Attacker has the password (from breach / spray) but not MFA. Spam push approvals at 2 AM until the user taps yes out of habit — used in the Uber and 0ktapus breaches.
step 2 / 6
AITM phishing (Evilginx) → M365 session theft → mailbox exfil
Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.
step 3 / 7

§ What commonly comes next

01
Steal Web Session Cookie
T1539 · Credential Access
seen 1×
02
User Execution
T1204 · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

MFA fatigue / prompt-bombing → M365 admin compromise

AITM phishing (Evilginx) → M365 session theft → mailbox exfil

§ What commonly comes next