In short: A fake MFA notification is an approval request sent by an attacker who already has your password and is trying to get into your account. If you receive a login prompt you did not start yourself, deny it, change your password, and tell your IT team.
Most people assume that turning on Multi-Factor Authentication (MFA) makes their account untouchable. It is a strong layer of protection, but it is not a magic shield. Attackers have found a way around it, and it relies on one thing: catching you off guard. This guide explains what fake MFA notifications are, how the attack works, and exactly what to do when one appears.
What is a fake MFA notification?
A fake MFA notification is a login approval request triggered by an attacker, not by you. The attacker already has your password, usually from a data leak, a phishing email, or a password you reused on another site. They enter your password to start a login, which sends a real approval prompt to your phone. If you tap “Approve” without thinking, you let them in.
What is an MFA fatigue attack?
An MFA fatigue attack is when an attacker floods you with approval requests to wear you down. It is also called prompt bombing or MFA bombing. The attacker sends prompt after prompt, often late at night or during a busy morning, hoping you will get annoyed or confused and approve one just to make it stop. Some attackers go quieter and send a single prompt at a moment when you might mistake it for a genuine login.
Why is MFA not enough on its own?
MFA is not enough on its own because you are still the person who approves the login. MFA blocks an attacker who only has your password, but it cannot tell the difference between a login you started and one a criminal started using your stolen password. The approval still comes down to your tap. That single tap is the gap attackers aim for.
Should you approve an MFA prompt you did not request?
No. You should never approve an MFA prompt you did not personally start. An unexpected approval request almost always means someone else is trying to sign in as you. The safe response is to deny it every time and treat it as a warning that your password may already be compromised.
What should you do if you get an unexpected MFA notification?
If a notification appears and you did not just try to log in, follow these steps:
- Tell your IT team. They can check whether someone is actively trying to break in and lock things down quickly.
- Change your password straight away, because an unexpected prompt usually means your password is already out there.
- Choose “Deny”. Never approve a request you did not begin yourself.
- Stop and think. Ask yourself whether you actually started a login right now. If you did not, something is wrong.
How do you spot a fake Microsoft login page?
You spot a fake Microsoft login page by checking the web address before you type anything. Fake sign-in pages are built to look completely real and quietly steal your details. If the address in your browser is not a genuine Microsoft domain, close it. Be extra careful with urgent emails or Teams messages that push you to log in quickly, because that sense of pressure is exactly how these attacks work. Never enter a verification code on a site you do not fully trust.
Why do fake MFA notifications matter for businesses?
Fake MFA notifications matter for businesses because one accidental approval can expose an entire account. Once an attacker is in, they can read your emails, pose as you to colleagues and clients, dig through shared files in OneDrive and SharePoint, and set up fraud that costs real money. For a small business, the cleanup and the damage to your reputation often hurt more than the breach itself.
The one rule to remember
If you were not expecting the login request, do not approve it. When something does not look right, contact your IT team before you tap anything. A quick check is always cheaper than a breach.
