MFA Push Bombing via Email Phishing
How email phishing campaigns are used to harvest credentials that then trigger MFA push bombardments, combining email and push-notification attacks to bypass two-factor authentication.
Part of: MFA Push-Bombing and Account-Recovery Scams
Last reviewed: 9 June 2026
MFA push bombing does not begin with the push notification — it begins with a credential theft, and email phishing is the most common way to obtain those credentials. A phishing email that captures a username and password enables an attacker to attempt login, which triggers an MFA push notification to the legitimate account holder. If the account holder approves — either through fatigue or confusion — the attacker gains full access.
The email and push-notification components of this attack are designed to work together. Email provides scale: a single campaign can target thousands of victims, capturing credentials from whoever falls for the phishing page. The MFA push then resolves the final barrier for whichever victims the attacker wants to target. Understanding the email phase is essential to disrupting the chain before it reaches the push stage.
How this scam works on email
A phishing email mimicking a known service — Microsoft 365, Google Workspace, a corporate VPN portal — directs the victim to a convincing login page. Credentials entered are immediately relayed to the attacker, who attempts login. The legitimate account holder receives an MFA push, which they may approve if they believe they are logging in themselves, or if repeated pushes cause them to approve by accident or impatience.
Some campaigns combine the email and push phases with a follow-up phone call or text claiming to be IT support, instructing the victim to approve the push to resolve a supposed account problem. This three-channel approach — email, push, phone — is particularly effective against employees who follow authority figures.
Common red flags
- Login page linked from an email has a slightly different domain from the genuine service
- MFA push notification arrives when you did not initiate a login
- Multiple MFA pushes arrive in rapid succession
- Follow-up phone call or text instructs you to approve an MFA notification
- Email creates urgency — 'your account will be suspended' — to provoke quick action
- Login page design is slightly different from the normal interface of the service
How to protect yourself
- Never approve an MFA push notification you did not initiate yourself
- If you receive unexpected MFA pushes, change your password immediately and report to your IT team or the service
- Use a hardware security key (FIDO2) instead of push notifications for critical accounts — it cannot be phished
- Type service URLs manually rather than clicking email links
- Report any email that mimics a corporate login page to your IT security team
How to report it
- Report phishing emails to your email provider and to the organisation being impersonated
- Report to your IT security team immediately if you may have entered credentials on a phishing page
- Report to Action Fraud (UK) or IC3 (US) for targeted credential phishing
Frequently asked questions
What should I do if I accidentally approved an MFA push I did not initiate?
Change your password immediately, review active sessions in your account settings and terminate any unrecognised ones, and report the incident to the service's security team and your own IT support if it was a work account.
Is push-based MFA safe?
Push-based MFA is significantly safer than no MFA, but it is vulnerable to push bombing attacks when combined with credential phishing. Hardware security keys or app-based TOTP codes are more resistant because they require physical possession or time-limited codes that cannot be relayed.