Engineering

Exploiting Trust: The Rise of Push Fatigue and Password Spray Attacks

Push fatigue and password spray attacks exploit user distraction and weak authentication context, making it easy for attackers to bypass MFA. Culminate’s AI SOC Analyst detects these behaviors across identity, EDR, and email logs, and takes automated action—like resetting passwords or deleting malicious emails—while providing clear case timelines for rapid, confident response.
Greg Rudman
June 23, 2025

Exploiting Trust: The Rise of Push Fatigue and Password Spray Attacks

In March 2023, Linus Tech Tips, one of the largest tech YouTube brands in the world, found itself at the center of a security scare. It started not with malware or a sophisticated breach—but with a single click.

Linus Sebastian, the founder of LTT, received what looked like a legitimate security alert: a warning about a suspicious login to the company’s X (Twitter) account from an IP address in Russia. In that moment, he was juggling multiple things—he had just lit the grill and was rushing to prepare for a personal gathering. Under pressure and distracted, he clicked the link in the email without pausing to verify it. That link was phishing bait.

From there, the attackers were able to compromise the account and escalate access. They didn’t break any code—they exploited something far more reliable: human distraction.

What followed included not just access to the company’s social media presence, but also misuse of authentication prompts, likely exploiting MFA fatigue—a technique where attackers bombard users with push notifications until one gets approved out of habit, confusion, or frustration.

This type of attack highlights a growing problem: MFA alone isn’t enough when the attacker already has your password and your attention is elsewhere. Push-based MFA, in particular, can be turned into an attack vector when users are overwhelmed or distracted. It’s not a technical failure—it’s a behavioral one.

In this blog, we’ll break down the mechanics of MFA fatigue and phishing attacks like this one, why they’re so effective, and what changes you can make—from switching to phishing-resistant MFA to building smarter alert systems that don’t rely solely on rushed user decisions.

What is MFA push fatigue?

An MFA push fatigue attack is a social engineering technique where attackers exploit user behavior rather than technical flaws. After stealing valid credentials—usually via phishing—they repeatedly attempt to log in, triggering a stream of push notifications to the user’s device. The goal is to wear down the user until they approve one out of habit, annoyance, or confusion.

This method doesn’t break MFA—it bypasses it through persistence. Since push-based MFA often lacks detailed context, users may mistakenly approve prompts without thinking, especially when distracted. Once approved, the attacker gains full access, making this a stealthy and effective way to compromise accounts.

Why are MFA push fatigue attacks successful?

Human fatigue and distraction: Attackers exploit moments when users are busy or overwhelmed, knowing they’re more likely to approve a push notification without verifying its source.

Lack of context in push-based MFA: Most push prompts don’t clearly show where the login attempt is coming from, making it easy for users to mistake malicious requests for legitimate ones.

What does an MFA push fatigue attack look like in Okta logs?

Before we look at Okta logs, let’s discuss what information we should be looking for. Below is a table containing common Okta event names you will see in authentication flows.

EVENT NAME EXPLANATION
policy.evaluate_sign_on Evaluates sign-on policies to determine if access should be granted.
system.push.send_factor_verify_push Sends a push notification for MFA to the user’s registered device.
user.authentication.auth_via_mfa User successfully authenticates using an MFA method.
user.session.start Marks the beginning of a user session after successful authentication.
user.authentication.verify Confirms the user’s identity during the authentication process.
user.authentication.sso User authenticates via Single Sign-On using a federated identity provider.

The event timeline shows a clear pattern consistent with a successful MFA push fatigue attack. It began with a sign-on attempt from IP address 169.150.218.4, which triggered a policy challenge requiring multi-factor authentication. Over the next minute, the attacker repeatedly sent push notifications to the user, evidenced by a series of system.push.send_factor_verify_push events—each followed by failed authentication attempts from a different IP (71.9.21.241), suggesting the user denied or ignored the early prompts. However, after multiple repeated requests, the attacker eventually received an approved push response at 15:48:13Z, allowing the session to be established. This was immediately followed by a successful MFA authentication, SSO logins, and final sign-on policy evaluation marked as ALLOW. The timing and sequence of events strongly indicate the user was overwhelmed or tricked into approving the push notification, completing the attacker’s objective through MFA fatigue.

EVENT_TIME EVENT_NAME SOURCE_IP EVENT_DETAILS OUTCOME_RESULT OUTCOME_REASON
2025-06-17T15:47:19Z policy.evaluate_sign_on 169.150.218.4 CHALLENGE Sign-on policy evaluation resulted in CHALLENGE
2025-06-17T15:47:22Z system.push.send_factor_verify_push 169.150.218.4 SUCCESS null
2025-06-17T15:47:29Z user.authentication.auth_via_mfa 71.9.21.241 OKTA_VERIFY_PUSH FAILURE INVALID_CREDENTIALS
2025-06-17T15:47:31Z user.session.start 169.150.218.4 FAILURE INVALID_CREDENTIALS
2025-06-17T15:47:37Z system.push.send_factor_verify_push 169.150.218.4 SUCCESS null
2025-06-17T15:47:42Z user.authentication.auth_via_mfa 71.9.21.241 OKTA_VERIFY_PUSH FAILURE INVALID_CREDENTIALS
2025-06-17T15:47:46Z user.session.start 169.150.218.4 FAILURE INVALID_CREDENTIALS
2025-06-17T15:47:49Z system.push.send_factor_verify_push 169.150.218.4 SUCCESS null
2025-06-17T15:47:52Z user.authentication.auth_via_mfa 71.9.21.241 OKTA_VERIFY_PUSH FAILURE INVALID_CREDENTIALS
2025-06-17T15:47:54Z user.session.start 169.150.218.4 FAILURE INVALID_CREDENTIALS
2025-06-17T15:47:57Z system.push.send_factor_verify_push 169.150.218.4 SUCCESS null
2025-06-17T15:48:00Z user.authentication.auth_via_mfa 71.9.21.241 OKTA_VERIFY_PUSH FAILURE INVALID_CREDENTIALS
2025-06-17T15:48:02Z user.session.start 169.150.218.4 FAILURE INVALID_CREDENTIALS
2025-06-17T15:48:04Z system.push.send_factor_verify_push 169.150.218.4 SUCCESS null
2025-06-17T15:48:13Z user.authentication.verify 169.150.218.4 SUCCESS null
2025-06-17T15:48:13Z user.session.start 169.150.218.4 SUCCESS null
2025-06-17T15:48:13Z user.authentication.auth_via_mfa 71.9.21.241 OKTA_VERIFY_PUSH SUCCESS null
2025-06-17T15:48:16Z user.authentication.sso 169.150.218.4 SUCCESS null
2025-06-17T15:48:26Z user.authentication.sso 169.150.218.4 SUCCESS null
2025-06-17T15:48:26Z policy.evaluate_sign_on 169.150.218.4 ALLOW Sign-on policy evaluation resulted in AUTHENTICATED

How can we detect MFA push fatigue attacks?

Watch for Repeated MFA Prompts

One of the clearest indicators of a push fatigue attempt is a spike in MFA prompts within a short timeframe. Track the number of push notifications sent to each user and flag situations where multiple challenges—typically more than two or three—occur within 10 to 30 minutes. If a successful login follows that burst of failed MFA attempts, it should be investigated immediately. These attacks often involve multiple IP addresses, regions, and user agents, making them harder to spot through simple correlation. An attacker may rotate between different devices or locations, or slightly modify the user agent string, in an attempt to bypass detection systems that rely on matching consistent session attributes.

Analyze the Context of Successful Logins

A successful authentication after repeated failures doesn’t always mean the threat is over—it may mean the attacker got in. Focus on sessions where:

  • The login comes from a new or unusual IP, device, or location
  • There’s evidence of geo-impossible travel
  • The session is followed by high-risk actions like adding MFA methods, changing passwords, or accessing sensitive systems

Correlating sign-in events with post-login activity can help distinguish false positives from real compromises.

Use Behavioral Baselines

  • Push fatigue attacks break normal patterns. Use behavioral analytics to baseline login behavior—usual devices, login times, and networks—and alert when sign-ins fall outside these norms. Anomalies that align with excessive MFA prompts are particularly suspicious and should be treated as high-risk events.

Make It Easy for Users to Report Suspicious Activity

  • Users are often the first to notice something’s wrong—like getting a push notification they didn’t request. Give them a fast, low-friction way to escalate it: a Slack channel, an internal email alias, or a one-click report button. Normalize reporting by making it part of onboarding and ongoing security training.

What does a password spray attack look like in Okta logs?

The timeline of events points to a successful password spray attack that likely led to MFA push fatigue or session hijacking. It started with multiple failed login attempts from IP address 149.88.18.233, each using invalid credentials and triggering MFA challenges. After several tries, the attacker finally guessed the correct password and triggered an MFA push notification. Just seconds later, that push was approved—but from a different IP address, 71.9.21.241. This sudden change suggests the attacker either tricked the user into approving the request or gained access to an existing session. The session quickly progressed with successful MFA, SSO, and authentication events, confirming access was granted. The rapid sequence, paired with the IP mismatch, strongly indicates the attacker used password spraying to compromise credentials and then completed the intrusion through push fatigue or session takeover.

EVENT_TIME EVENT_NAME SOURCE_IP EVENT_DETAILS OUTCOME_RESULT OUTCOME_REASON
2025-06-19T04:24:45Z policy.evaluate_sign_on 149.88.18.233 CHALLENGE Sign-on policy evaluation resulted in CHALLENGE
2025-06-19T04:24:51Z user.session.start 149.88.18.233 FAILURE INVALID_CREDENTIALS
2025-06-19T04:24:51Z user.authentication.auth_via_mfa 149.88.18.233 PASSWORD_AS_FACTOR FAILURE INVALID_CREDENTIALS
2025-06-19T04:24:58Z user.session.start 149.88.18.233 FAILURE INVALID_CREDENTIALS
2025-06-19T04:24:58Z user.authentication.auth_via_mfa 149.88.18.233 PASSWORD_AS_FACTOR FAILURE INVALID_CREDENTIALS
2025-06-19T04:25:05Z user.session.start 149.88.18.233 FAILURE INVALID_CREDENTIALS
2025-06-19T04:25:05Z user.authentication.auth_via_mfa 149.88.18.233 PASSWORD_AS_FACTOR FAILURE INVALID_CREDENTIALS
2025-06-19T04:25:28Z user.session.start 149.88.18.233 SUCCESS null
2025-06-19T04:25:28Z user.authentication.auth_via_mfa 149.88.18.233 PASSWORD_AS_FACTOR SUCCESS null
2025-06-19T04:25:30Z system.push.send_factor_verify_push 149.88.18.233 SUCCESS null
2025-06-19T04:25:35Z user.authentication.auth_via_mfa 71.9.21.241 OKTA_VERIFY_PUSH SUCCESS null
2025-06-19T04:25:40Z user.authentication.verify 149.88.18.233 SUCCESS null
2025-06-19T04:25:41Z user.authentication.sso 149.88.18.233 SUCCESS null

How can we mitigate these types of attacks?

Defending against password spray and MFA push fatigue attacks takes more than just enforcing MFA—it requires a layered approach that combines smarter authentication, user awareness, and technical safeguards. These attacks exploit weak passwords and user behavior, so your defenses need to address both.

Strengthen Password Security to Block Spray Attempts

  • Enforce password hardening: Require long, complex passwords and prevent the use of commonly breached credentials using password filtering tools.
  • Monitor for failed login patterns: Set up alerts for multiple failed sign-in attempts across different accounts from the same IP or region—this is a telltale sign of a password spray.
  • Apply smart lockout policies: Instead of locking out individual users (which can cause denial-of-service issues), apply lockouts per IP or on behavior-based thresholds to slow down attackers without harming users.

Educate Users About MFA Threats

  • Regularly train users to never approve MFA prompts they didn’t initiate. Reinforce that push requests aren’t just routine—they’re signals that someone is trying to access their account.
  • Use internal comms, posters, or short videos to make this message stick.

Switch to Phishing-Resistant MFA

  • Move away from push notifications and toward stronger methods like FIDO2 security keys or biometric MFA (e.g., Okta FastPass or Windows Hello). These options require physical presence and intentional action, which makes them immune to push fatigue tactics.

Add Friction with Number Matching or Code Verification

  • When push MFA is unavoidable, configure number matching or verification codes. These force users to pay attention and actively confirm that the login attempt is legitimate.

Throttle MFA Prompts to Prevent Spam

  • Set limits on how many MFA prompts can be sent in a given time window. This not only protects users from prompt fatigue but also gives you a signal that something suspicious is happening.

Lock or Slow Down Suspicious Auth Attempts

  • Introduce temporary account or IP throttling after multiple failed logins—especially when paired with MFA attempts. This disrupts the attack flow and gives security teams time to investigate.

How can Culminate help your organization?

Culminate Security’s AI SOC Analyst makes it faster and easier to investigate threats like password spray attacks and MFA push fatigue. It looks at things a human analyst would—like unusual user agents, rare IP addresses, odd login times, and unfamiliar devices—and connects the dots across multiple data sources, including EDR tools and Office 365 logs. This helps surface suspicious behavior quickly, whether it’s a compromised account or an attacker trying to sneak in through MFA abuse. Once a threat is confirmed, Culminate can automatically respond by resetting passwords, running antivirus scans, or even deleting malicious emails—no manual effort required. Every case includes a clear timeline and decision trail, so your team can see exactly what happened and why action was taken.

Culminate’s AI SOC Analyst autonomously investigates SSO alerts and logs to detect threats like password spray attacks and MFA push fatigue. It mimics how a top-tier analyst thinks, examining key indicators and connecting the dots across multiple data sources.

Key benefits include:

  • Advanced Threat Detection
    • Investigates unusual behavior like rare IPs, unfamiliar devices, odd login times, and suspicious user agents—catching threats humans often miss.
  • Cross-Source Correlation
    • Connects data from SSO, EDR tools, Office 365 logs, and more to surface signs of compromised accounts or MFA abuse.
  • Automated Response
    • Takes immediate action—resetting passwords, running antivirus scans, or deleting malicious emails—without manual intervention.
  • Clear Investigation Trail
    • Every case includes a timeline and decision logic, so your team knows exactly what happened and why.

With Culminate, your SOC can stop threats faster—with less effort and more confidence.

Subscribe to our newsletter

Subscribe to receive the latest blog posts to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Exploiting Trust: The Rise of Push Fatigue and Password Spray Attacks

In March 2023, Linus Tech Tips, one of the largest tech YouTube brands in the world, found itself at the center of a security scare. It started not with malware or a sophisticated breach—but with a single click.

Linus Sebastian, the founder of LTT, received what looked like a legitimate security alert: a warning about a suspicious login to the company’s X (Twitter) account from an IP address in Russia. In that moment, he was juggling multiple things—he had just lit the grill and was rushing to prepare for a personal gathering. Under pressure and distracted, he clicked the link in the email without pausing to verify it. That link was phishing bait.

From there, the attackers were able to compromise the account and escalate access. They didn’t break any code—they exploited something far more reliable: human distraction.

What followed included not just access to the company’s social media presence, but also misuse of authentication prompts, likely exploiting MFA fatigue—a technique where attackers bombard users with push notifications until one gets approved out of habit, confusion, or frustration.

This type of attack highlights a growing problem: MFA alone isn’t enough when the attacker already has your password and your attention is elsewhere. Push-based MFA, in particular, can be turned into an attack vector when users are overwhelmed or distracted. It’s not a technical failure—it’s a behavioral one.

In this blog, we’ll break down the mechanics of MFA fatigue and phishing attacks like this one, why they’re so effective, and what changes you can make—from switching to phishing-resistant MFA to building smarter alert systems that don’t rely solely on rushed user decisions.

What is MFA push fatigue?

An MFA push fatigue attack is a social engineering technique where attackers exploit user behavior rather than technical flaws. After stealing valid credentials—usually via phishing—they repeatedly attempt to log in, triggering a stream of push notifications to the user’s device. The goal is to wear down the user until they approve one out of habit, annoyance, or confusion.

This method doesn’t break MFA—it bypasses it through persistence. Since push-based MFA often lacks detailed context, users may mistakenly approve prompts without thinking, especially when distracted. Once approved, the attacker gains full access, making this a stealthy and effective way to compromise accounts.

Why are MFA push fatigue attacks successful?

Human fatigue and distraction: Attackers exploit moments when users are busy or overwhelmed, knowing they’re more likely to approve a push notification without verifying its source.

Lack of context in push-based MFA: Most push prompts don’t clearly show where the login attempt is coming from, making it easy for users to mistake malicious requests for legitimate ones.

What does an MFA push fatigue attack look like in Okta logs?

Before we look at Okta logs, let’s discuss what information we should be looking for. Below is a table containing common Okta event names you will see in authentication flows.

EVENT NAME EXPLANATION
policy.evaluate_sign_on Evaluates sign-on policies to determine if access should be granted.
system.push.send_factor_verify_push Sends a push notification for MFA to the user’s registered device.
user.authentication.auth_via_mfa User successfully authenticates using an MFA method.
user.session.start Marks the beginning of a user session after successful authentication.
user.authentication.verify Confirms the user’s identity during the authentication process.
user.authentication.sso User authenticates via Single Sign-On using a federated identity provider.

The event timeline shows a clear pattern consistent with a successful MFA push fatigue attack. It began with a sign-on attempt from IP address 169.150.218.4, which triggered a policy challenge requiring multi-factor authentication. Over the next minute, the attacker repeatedly sent push notifications to the user, evidenced by a series of system.push.send_factor_verify_push events—each followed by failed authentication attempts from a different IP (71.9.21.241), suggesting the user denied or ignored the early prompts. However, after multiple repeated requests, the attacker eventually received an approved push response at 15:48:13Z, allowing the session to be established. This was immediately followed by a successful MFA authentication, SSO logins, and final sign-on policy evaluation marked as ALLOW. The timing and sequence of events strongly indicate the user was overwhelmed or tricked into approving the push notification, completing the attacker’s objective through MFA fatigue.

EVENT_TIME EVENT_NAME SOURCE_IP EVENT_DETAILS OUTCOME_RESULT OUTCOME_REASON
2025-06-17T15:47:19Z policy.evaluate_sign_on 169.150.218.4 CHALLENGE Sign-on policy evaluation resulted in CHALLENGE
2025-06-17T15:47:22Z system.push.send_factor_verify_push 169.150.218.4 SUCCESS null
2025-06-17T15:47:29Z user.authentication.auth_via_mfa 71.9.21.241 OKTA_VERIFY_PUSH FAILURE INVALID_CREDENTIALS
2025-06-17T15:47:31Z user.session.start 169.150.218.4 FAILURE INVALID_CREDENTIALS
2025-06-17T15:47:37Z system.push.send_factor_verify_push 169.150.218.4 SUCCESS null
2025-06-17T15:47:42Z user.authentication.auth_via_mfa 71.9.21.241 OKTA_VERIFY_PUSH FAILURE INVALID_CREDENTIALS
2025-06-17T15:47:46Z user.session.start 169.150.218.4 FAILURE INVALID_CREDENTIALS
2025-06-17T15:47:49Z system.push.send_factor_verify_push 169.150.218.4 SUCCESS null
2025-06-17T15:47:52Z user.authentication.auth_via_mfa 71.9.21.241 OKTA_VERIFY_PUSH FAILURE INVALID_CREDENTIALS
2025-06-17T15:47:54Z user.session.start 169.150.218.4 FAILURE INVALID_CREDENTIALS
2025-06-17T15:47:57Z system.push.send_factor_verify_push 169.150.218.4 SUCCESS null
2025-06-17T15:48:00Z user.authentication.auth_via_mfa 71.9.21.241 OKTA_VERIFY_PUSH FAILURE INVALID_CREDENTIALS
2025-06-17T15:48:02Z user.session.start 169.150.218.4 FAILURE INVALID_CREDENTIALS
2025-06-17T15:48:04Z system.push.send_factor_verify_push 169.150.218.4 SUCCESS null
2025-06-17T15:48:13Z user.authentication.verify 169.150.218.4 SUCCESS null
2025-06-17T15:48:13Z user.session.start 169.150.218.4 SUCCESS null
2025-06-17T15:48:13Z user.authentication.auth_via_mfa 71.9.21.241 OKTA_VERIFY_PUSH SUCCESS null
2025-06-17T15:48:16Z user.authentication.sso 169.150.218.4 SUCCESS null
2025-06-17T15:48:26Z user.authentication.sso 169.150.218.4 SUCCESS null
2025-06-17T15:48:26Z policy.evaluate_sign_on 169.150.218.4 ALLOW Sign-on policy evaluation resulted in AUTHENTICATED

How can we detect MFA push fatigue attacks?

Watch for Repeated MFA Prompts

One of the clearest indicators of a push fatigue attempt is a spike in MFA prompts within a short timeframe. Track the number of push notifications sent to each user and flag situations where multiple challenges—typically more than two or three—occur within 10 to 30 minutes. If a successful login follows that burst of failed MFA attempts, it should be investigated immediately. These attacks often involve multiple IP addresses, regions, and user agents, making them harder to spot through simple correlation. An attacker may rotate between different devices or locations, or slightly modify the user agent string, in an attempt to bypass detection systems that rely on matching consistent session attributes.

Analyze the Context of Successful Logins

A successful authentication after repeated failures doesn’t always mean the threat is over—it may mean the attacker got in. Focus on sessions where:

  • The login comes from a new or unusual IP, device, or location
  • There’s evidence of geo-impossible travel
  • The session is followed by high-risk actions like adding MFA methods, changing passwords, or accessing sensitive systems

Correlating sign-in events with post-login activity can help distinguish false positives from real compromises.

Use Behavioral Baselines

  • Push fatigue attacks break normal patterns. Use behavioral analytics to baseline login behavior—usual devices, login times, and networks—and alert when sign-ins fall outside these norms. Anomalies that align with excessive MFA prompts are particularly suspicious and should be treated as high-risk events.

Make It Easy for Users to Report Suspicious Activity

  • Users are often the first to notice something’s wrong—like getting a push notification they didn’t request. Give them a fast, low-friction way to escalate it: a Slack channel, an internal email alias, or a one-click report button. Normalize reporting by making it part of onboarding and ongoing security training.

What does a password spray attack look like in Okta logs?

The timeline of events points to a successful password spray attack that likely led to MFA push fatigue or session hijacking. It started with multiple failed login attempts from IP address 149.88.18.233, each using invalid credentials and triggering MFA challenges. After several tries, the attacker finally guessed the correct password and triggered an MFA push notification. Just seconds later, that push was approved—but from a different IP address, 71.9.21.241. This sudden change suggests the attacker either tricked the user into approving the request or gained access to an existing session. The session quickly progressed with successful MFA, SSO, and authentication events, confirming access was granted. The rapid sequence, paired with the IP mismatch, strongly indicates the attacker used password spraying to compromise credentials and then completed the intrusion through push fatigue or session takeover.

EVENT_TIME EVENT_NAME SOURCE_IP EVENT_DETAILS OUTCOME_RESULT OUTCOME_REASON
2025-06-19T04:24:45Z policy.evaluate_sign_on 149.88.18.233 CHALLENGE Sign-on policy evaluation resulted in CHALLENGE
2025-06-19T04:24:51Z user.session.start 149.88.18.233 FAILURE INVALID_CREDENTIALS
2025-06-19T04:24:51Z user.authentication.auth_via_mfa 149.88.18.233 PASSWORD_AS_FACTOR FAILURE INVALID_CREDENTIALS
2025-06-19T04:24:58Z user.session.start 149.88.18.233 FAILURE INVALID_CREDENTIALS
2025-06-19T04:24:58Z user.authentication.auth_via_mfa 149.88.18.233 PASSWORD_AS_FACTOR FAILURE INVALID_CREDENTIALS
2025-06-19T04:25:05Z user.session.start 149.88.18.233 FAILURE INVALID_CREDENTIALS
2025-06-19T04:25:05Z user.authentication.auth_via_mfa 149.88.18.233 PASSWORD_AS_FACTOR FAILURE INVALID_CREDENTIALS
2025-06-19T04:25:28Z user.session.start 149.88.18.233 SUCCESS null
2025-06-19T04:25:28Z user.authentication.auth_via_mfa 149.88.18.233 PASSWORD_AS_FACTOR SUCCESS null
2025-06-19T04:25:30Z system.push.send_factor_verify_push 149.88.18.233 SUCCESS null
2025-06-19T04:25:35Z user.authentication.auth_via_mfa 71.9.21.241 OKTA_VERIFY_PUSH SUCCESS null
2025-06-19T04:25:40Z user.authentication.verify 149.88.18.233 SUCCESS null
2025-06-19T04:25:41Z user.authentication.sso 149.88.18.233 SUCCESS null

How can we mitigate these types of attacks?

Defending against password spray and MFA push fatigue attacks takes more than just enforcing MFA—it requires a layered approach that combines smarter authentication, user awareness, and technical safeguards. These attacks exploit weak passwords and user behavior, so your defenses need to address both.

Strengthen Password Security to Block Spray Attempts

  • Enforce password hardening: Require long, complex passwords and prevent the use of commonly breached credentials using password filtering tools.
  • Monitor for failed login patterns: Set up alerts for multiple failed sign-in attempts across different accounts from the same IP or region—this is a telltale sign of a password spray.
  • Apply smart lockout policies: Instead of locking out individual users (which can cause denial-of-service issues), apply lockouts per IP or on behavior-based thresholds to slow down attackers without harming users.

Educate Users About MFA Threats

  • Regularly train users to never approve MFA prompts they didn’t initiate. Reinforce that push requests aren’t just routine—they’re signals that someone is trying to access their account.
  • Use internal comms, posters, or short videos to make this message stick.

Switch to Phishing-Resistant MFA

  • Move away from push notifications and toward stronger methods like FIDO2 security keys or biometric MFA (e.g., Okta FastPass or Windows Hello). These options require physical presence and intentional action, which makes them immune to push fatigue tactics.

Add Friction with Number Matching or Code Verification

  • When push MFA is unavoidable, configure number matching or verification codes. These force users to pay attention and actively confirm that the login attempt is legitimate.

Throttle MFA Prompts to Prevent Spam

  • Set limits on how many MFA prompts can be sent in a given time window. This not only protects users from prompt fatigue but also gives you a signal that something suspicious is happening.

Lock or Slow Down Suspicious Auth Attempts

  • Introduce temporary account or IP throttling after multiple failed logins—especially when paired with MFA attempts. This disrupts the attack flow and gives security teams time to investigate.

How can Culminate help your organization?

Culminate Security’s AI SOC Analyst makes it faster and easier to investigate threats like password spray attacks and MFA push fatigue. It looks at things a human analyst would—like unusual user agents, rare IP addresses, odd login times, and unfamiliar devices—and connects the dots across multiple data sources, including EDR tools and Office 365 logs. This helps surface suspicious behavior quickly, whether it’s a compromised account or an attacker trying to sneak in through MFA abuse. Once a threat is confirmed, Culminate can automatically respond by resetting passwords, running antivirus scans, or even deleting malicious emails—no manual effort required. Every case includes a clear timeline and decision trail, so your team can see exactly what happened and why action was taken.

Culminate’s AI SOC Analyst autonomously investigates SSO alerts and logs to detect threats like password spray attacks and MFA push fatigue. It mimics how a top-tier analyst thinks, examining key indicators and connecting the dots across multiple data sources.

Key benefits include:

  • Advanced Threat Detection
    • Investigates unusual behavior like rare IPs, unfamiliar devices, odd login times, and suspicious user agents—catching threats humans often miss.
  • Cross-Source Correlation
    • Connects data from SSO, EDR tools, Office 365 logs, and more to surface signs of compromised accounts or MFA abuse.
  • Automated Response
    • Takes immediate action—resetting passwords, running antivirus scans, or deleting malicious emails—without manual intervention.
  • Clear Investigation Trail
    • Every case includes a timeline and decision logic, so your team knows exactly what happened and why.

With Culminate, your SOC can stop threats faster—with less effort and more confidence.