You did the right thing. You set up multi-factor authentication across your business — Microsoft 365, your accounting software, maybe your CRM. You told your staff to use the authenticator app. You felt pretty good about it.

Then one of your employees gets 47 push notifications at 11 PM on a Wednesday. They’re tired, confused, and just want their phone to stop buzzing. So they hit “Approve.”

And just like that, an attacker is inside your systems.

Welcome to MFA fatigue attacks. They’re simple, effective, and hitting Australian small businesses right now.

How It Works

An attacker already has your employee’s username and password — usually from a phishing attack or credential stuffing. They can’t get in because of MFA. So instead of trying to bypass it technically, they just try logging in over and over. Each attempt sends a push notification. “Did you try to sign in? Approve / Deny.”

They don’t stop. They send 10, 20, 50, 100 attempts in rapid succession. Sometimes at 2 AM when someone’s half-asleep. Sometimes during a busy workday when they’re distracted. Eventually, someone taps “Approve” — out of frustration, by accident, or because they assume it’s a glitch.

This is exactly how Uber got breached in 2022. And it’s been used against businesses of every size since, including Australian SMBs without dedicated security teams watching for it.

Why SMBs Are Particularly Vulnerable

Large enterprises have security operations centres that spot 50 failed authentication attempts in five minutes. Most small businesses don’t. Your staff are the last line of defence, and they haven’t been trained to recognise this specific pattern.

The Australian Cyber Security Centre has been raising awareness about authentication attacks, but MFA fatigue specifically doesn’t always get the attention it deserves in general guidance aimed at small business.

How to Defend Against It

The good news: defending against this isn’t complicated or expensive.

Turn On Number Matching

This is the single most effective countermeasure. Instead of “Approve / Deny,” number matching shows a two-digit number on the login screen. The user types that same number into their authenticator app. If an attacker triggers the prompt, the employee can’t just tap approve — they’d need to guess the number shown on the attacker’s screen.

Microsoft Entra ID has supported number matching since 2023 and it’s now the default for Microsoft Authenticator. If you’re on Microsoft 365 and haven’t checked this setting recently, do it today. It takes 10 minutes.

Set Up Conditional Access Policies

Conditional access adds rules about when and where logins are allowed:

• Only allow logins from Australia
• Block logins from known VPN exit nodes
• Require extra verification for new devices or unusual locations
• Limit authentication attempts per hour

These policies mean many attacker attempts get blocked before the notification even reaches your employee. Microsoft 365 Business Premium includes conditional access — worth the upgrade for this feature alone.

Train Your Staff on This Exact Scenario

Generic security training is fine. But you need to tell people about this specific attack. Make it concrete:

• An unexpected MFA notification means someone has your password
• Never approve a prompt you didn’t trigger
• Multiple rapid notifications is an attack, not a system error
• If it happens, change your password immediately and report it

Role-play the scenario in your next team meeting. Five minutes could prevent a breach.

Consider Phishing-Resistant MFA for Key Accounts

Hardware security keys (like YubiKeys) or passkeys can’t be approved remotely. There’s no notification to tap — you need the physical key. For admin accounts, finance staff, and anyone with sensitive access, this is worth the $70–$90 per key investment.

Monitor Authentication Logs

If someone manages your IT — even a part-time contractor — make sure they review authentication logs regularly. Dozens of failed MFA attempts followed by a success is an enormous red flag.

Some businesses are working with AI consultants Sydney to set up automated monitoring that flags unusual authentication patterns in real time. These systems learn normal login behaviour and alert when something looks wrong. For businesses handling client funds or sensitive data, it’s increasingly worthwhile.

What to Do Right Now

Here are your immediate action items:

1. Check if number matching is enabled on your MFA settings. Turn it on today if it isn’t.
2. Send your staff a brief message explaining MFA fatigue. Plain language: “If your phone buzzes with a login notification you didn’t trigger, don’t approve it. Change your password and tell me.”
3. Review conditional access policies or ask your IT provider to do it.
4. Consider hardware keys for whoever has the most access — business owner, finance manager, IT admin.

MFA is still one of the best defences you can have. Don’t turn it off because of fatigue attacks — that’s like removing your front door lock because someone learned lock bumping. Upgrade to a better lock instead.

The attackers are getting creative, but the defences exist. You just need to implement them.