



Multi-factor authentication (MFA) was supposed to be the silver bullet. Enforce it across your organisation, the consultants said, and you eliminate 99% of credential-based breaches. That advice was sound — until attackers adapted. In 2026, MFA fatigue and push-bombing attacks have turned your own security controls into an entry point. Indian enterprises running legacy MFA deployments — particularly push-notification-based ones — are sitting on a vulnerability that threat actors are actively exploiting right now.
This post explains exactly how MFA fatigue works, why it succeeds even against security-aware users, and what your organisation must do immediately to close the gap.
An MFA fatigue attack (also called push-bombing or MFA bombing) follows a deceptively simple kill chain:
In some variants, the attacker calls the victim pretending to be IT support, instructs them to approve the “test” request, and combines social engineering with technical persistence. The 2022 Uber breach — one of the most-cited examples of this technique globally — followed exactly this pattern. A contractor’s credentials were obtained, the attacker push-bombed them for over an hour, then called posing as Uber IT. One approval was all it took.
India’s enterprise IT landscape has several compounding factors that raise the risk profile:
Post-COVID remote work forced organisations to deploy MFA quickly — often selecting whatever was fastest to roll out rather than most secure. Push notifications (Microsoft Authenticator, Duo, Google Prompt) are extremely easy to deploy but are the weakest link. Organisations that should have moved to phishing-resistant MFA never did, because “we already have MFA” became the answer to every audit question.
India’s mid-market enterprises frequently run lean IT teams. When users receive unexpected MFA prompts, the path of least resistance is to approve and escalate later — or simply approve because they assume it was a glitch. Security training exists on paper but is rarely contextual or role-specific.
India consistently ranks among the top countries in credential exposure from global data breaches. Attackers routinely purchase leaked credential sets, test them against corporate VPN portals and Microsoft 365 tenants, and immediately initiate MFA fatigue campaigns against valid accounts.
Many organisations issue long-lived session tokens after MFA approval — sometimes 30 to 90 days. A single successful approval gives attackers persistent access long after the initial compromise is forgotten.
MFA fatigue is the most visible but not the only technique. Your security team should be aware of the full spectrum:
Repeated push notifications until the user approves. Low skill required; high success rate against push-based MFA. Works 24/7 against sleeping or distracted users.
Adversary-in-the-Middle (AiTM) phishing proxies — like Evilginx, Modlishka, and Muraena — sit between the user and the legitimate login portal. The user enters credentials and approves their MFA prompt against the real IdP; the proxy captures the resulting session cookie. The attacker uses that cookie directly, completely bypassing MFA for subsequent access.
Organisations still using SMS one-time passwords (OTPs) face SIM-swap fraud, where attackers socially engineer telecom operators to port a victim’s number to an attacker-controlled SIM. This is particularly relevant in India given documented cases at major telecom providers. SMS OTP must be considered deprecated for high-value accounts.
Some MFA systems now show a two-digit number match to prevent blind approvals — but attackers have begun using social engineering to instruct victims to approve the “correct” number they see on their screen, which the attacker also sees in real time.
Not all MFA is created equal. The FIDO2/WebAuthn standard — implemented via hardware security keys (YubiKey, Feitian) or passkeys bound to the device — is categorically different from push notifications:
Microsoft has classified FIDO2/hardware keys and Certificate-Based Authentication (CBA) as the only truly phishing-resistant MFA methods in its Conditional Access framework. If your organisation is not on this path for privileged accounts and remote access, it is not fully protected.
Immediate actions your IT and security team should take this quarter:
Even the best MFA can be defeated — defence in depth is the only reliable posture. Zero Trust Network Access (ZTNA) fundamentally limits what an attacker can do after they have compromised credentials and MFA:
FortiGate’s ZTNA implementation integrates natively with FortiClient and FortiAuthenticator, giving PJ Networks’ managed customers continuous posture assessment without requiring a separate overlay architecture.
Detection speed is everything. The average dwell time for an attacker who has successfully bypassed MFA is measured in hours to days — during which they establish persistence, exfiltrate data, or move laterally to backup and financial systems. A 24/7 SOC with tuned detection rules can compress that window dramatically.
Effective SOC coverage for MFA-related threats includes:
Without 24/7 coverage, a weekend MFA fatigue attack — which attackers deliberately time for low-staffing periods — is often not discovered until Monday morning, when the damage is already done.
Under India’s CERT-In directions (effective 2022), any incident involving unauthorised access to systems or data must be reported within 6 hours of detection. An MFA bypass leading to access of employee or customer data — even without confirmed exfiltration — likely triggers this obligation. Under the DPDP Act 2023, a personal data breach must be reported to the Data Protection Board within a prescribed timeline.
Organisations that lack 24/7 monitoring frequently discover MFA compromises days after the fact — making timely regulatory reporting impossible and creating significant compliance exposure. This is not a theoretical risk: CERT-In has made clear that under-reporting will attract penalties.
Key point: The 6-hour CERT-In clock starts from the moment of detection, not the moment of breach. Faster detection — enabled by a 24/7 SOC — directly reduces your compliance risk by giving you more time to investigate before the reporting window closes.
If you take nothing else from this article, act on these three things this week:
PJ Networks provides Indian enterprises with an end-to-end managed security capability purpose-built for today’s identity-based attack landscape:
MFA is not optional — but it is also not sufficient on its own in 2026. The organisations that stay ahead of the attacker curve are those that treat identity security as a continuous programme, not a checkbox. If you would like to assess your current MFA architecture or explore managed ZTNA options, speak with a PJ Networks security specialist for a no-obligation consultation.