What is Push Bombing?

April 23, 2026

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees. 

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, data harvesting, IoCs, credential stuffing, and ransomware as a service. In this edition, we dive into push bombing.

Push Bombing 101 

Push bombing, also known as “MFA Fatigue” or “MFA Spamming,” is a deceptive social engineering tactic in which an attacker repeatedly triggers MFA push notifications to the victims device. Multi-factor authentication (MFA) has long been considered a cornerstone of modern cybersecurity. By requiring users to verify their identity through an additional factor—like a push notification to a mobile device—organizations have significantly reduced the risk of account compromise. Multifactor authentication is not invincible. As always, attackers adapt. Attackers increasingly exploit user behavior instead of cryptographic weaknesses. And this is where push bombing comes into the scene.

The goal is simple: flood a target with repeated MFA push notifications in the hope that they will eventually “approve” one. At a high level, push bombing is a shortcut. Instead of breaking through authentication controls, attackers pressure users into opening the door for them.

The process usually begins after an attacker has already obtained a user’s valid credentials, often through phishing, credential stuffing, or darknet data leaks. Once the attacker attempts to log in, the system sends a push notification to the legitimate user’s mobile app. When the user denies the request, the attacker immediately triggers another, and another—sometimes hundreds of times in a row, often in the middle of the night when the victim is less likely to be alert. Attackers often combine push bombing with chat-based impersonation, fake IT support calls, and SMS messages – creating a sense of urgency and legitimacy.

Push Bombing in the Wild

The Cybersecurity and Infrastructure Security Agency has published guidance highlighting this growing tactic.

Early warning indicators include:

  • Multiple MFA prompts within short time periods
  • Authentication approvals outside normal working hours
  • Users reporting repeated push requests they did not initiate

When a user comments, “I keep getting login prompts even though I’m not trying to sign in” that’s not a help desk or internal IT nuisance. It’s an intrusion attempt in progress.

Push bombing is actively used in real-world attacks and breaches by threat actors targeting organizations of all sizes, often as the final step in an account takeover chain. Consequences of a successful push bombing attack extend way beyond the single compromised account. Once inside, attackers can:

  • Launch impersonation or fraud campaigns
  • Access sensitive corporate systems
  • Move laterally across networks
  • Steal data or deploy ransomware

Uber

In 2022, a threat actor associated with the Lapsus$ group gained access to Uber’s internal systems. After obtaining a contractor’s password, the attacker sent a barrage of MFA requests. When the contractor initially ignored them, the attacker contacted them on WhatsApp, pretending to be from Uber IT, and told them they needed to approve the request to stop the notifications. The contractor complied, giving the attacker full access to the corporate environment.

Cisco

Also in 2022, Cisco fell victim to a series of sophisticated push bombing attacks. After compromising a user’s personal Google account to find stored credentials, the attackers moved to the corporate network. They used a combination of voice phishing (vishing) and MFA fatigue to trick the employee into granting access, eventually allowing the attackers to move laterally through the network.

Protection and Mitigation

What makes push bombing especially dangerous is its simplicity. It doesn’t require sophisticated malware or zero-day exploits—just stolen credentials and persistence.

Of course DarkOwl will always recommend using MFA, but let’s go one step further: choose a phishing-resistant MFA. Not all MFA is equal. SMS codes and push prompts can be bypassed (push fatigue, SIM swaps). Where available, use FIDO2 keys, WebAuthn, and passkeys, particularly for privileged and external-facing accounts for phishing-resistant authentication. Never approve a push you didn’t initiate; report repeated prompts to IT. Ask your org to move critical apps to phishing-resistant MFA.

Push bombing is the second stage of a compromise; the first stage is the loss of credentials. Awareness of when your employees’ or customers’ credentials have been leaked on the darknet can help you stay ahead of these attacks.

Leveraging a continuously updated darknet data index enables organizations to detect security gaps before a threat actor begins a push bombing campaign. By monitoring for leaked usernames and passwords associated with your domain, you can proactively force password resets and invalidate sessions, neutralizing the attacker’s ability to even trigger that first notification.

Curious to learn more about dark web monitoring? Contact us.

Explore the Products

Button Product Vision
Vision UI ›
Button Product Search
Search API ›
Button Product Entity
Entity API ›
Button Product Score
DarkSonar API ›
Button Product Score
Score API ›
Button Ransomware API
Ransomware API ›
Button Product Datafeeds
Datafeeds ›

See why DarkOwl is the Leader in Darknet Data

Get a Demo
Get a Demo

Products

Services

Use Cases

Company

Copyright © 2026 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.