MFA fatigue attacks are up 40% — what we're doing about it for clients

Multi-factor authentication is brilliant, until it isn't. The latest attack pattern hitting Manchester SMBs in 2026 isn't sophisticated — it's just relentless.

The attack pattern

Attacker has a valid username and password (probably from a credential dump). They try to log in. MFA fires a push notification to the user's phone. User declines. Attacker tries again. And again. And again. At 2am. The user, half-asleep, taps "Approve" to make the buzzing stop. They're in.

This is MFA fatigue, and Microsoft's threat data shows it's up roughly 40% year-on-year across UK SMBs.

The technical fix — number matching

Standard "tap to approve" MFA is dead. Number matching prompts force the user to type a 2-digit code shown on the login screen into their authenticator app. You can't approve by accident, and you can't approve from a different device than the one trying to log in.

For all our Compliance Protect clients, number matching is on by default. If you're a self-managing M365 tenant and haven't switched yet, this is the single highest-leverage 10-minute change you can make this week.

The conditional access fix

Number matching is necessary, not sufficient. We pair it with conditional access policies that block sign-ins from countries the client doesn't operate in, require compliant devices for high-risk apps, and trigger step-up authentication for finance roles.

The human fix

The hardest one. Train people that the only correct response to an unexpected MFA prompt at any time is: decline, and report it. We send a quarterly mock-fatigue test to client users — anyone who taps Approve gets a friendly conversation, not a telling-off.

Three months in, click-throughs on our test prompts have dropped from 18% to under 4%. The training works, but only if it's regular.

If you want us to look at your tenant's MFA posture, it's a 30-minute call and we'll show you exactly where the gaps are. No invoice attached.