Subscribe to the Non-Human & AI Identity Journal
Home FAQ Threats, Abuse & Incident Response Why do phishing and MFA fatigue still lead…
Threats, Abuse & Incident Response

Why do phishing and MFA fatigue still lead to major breaches?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 9, 2026 Domain: Threats, Abuse & Incident Response

Phishing and MFA fatigue work because they exploit trust in the authentication flow, not because the attacker has stronger technology. When users can approve repeated prompts or open malicious content that leads to a valid session, the identity boundary is bypassed through behaviour rather than code. Security teams need to control the approval path, not just the password field.

Why This Matters for Security Teams

Phishing and mfa fatigue remain effective because they target the human approval path that still sits in front of many high-value accounts. A password alone is rarely the failure point anymore; the breach happens when a user is tricked into authorising a session, a token request, or a helpdesk reset that looks legitimate enough in the moment. That makes this a governance problem as much as an authentication problem.

This pattern shows up in both workforce identity and NHI-linked workflows. Once a valid session is issued, attackers often pivot to email, cloud consoles, SaaS admin planes, and API surfaces using the organisation’s own trust. NHIMG has documented how identity-focused intrusions move through real environments in cases such as Microsoft Midnight Blizzard breach and Uber Breach, while NIST’s SP 800-53 Rev. 5 Security and Privacy Controls remains clear that authentication strength must be paired with monitoring and access control.

In practice, many security teams encounter the compromise only after the attacker has already turned a single approval into a trusted session, rather than through intentional control failure testing.

How It Works in Practice

Phishing succeeds when the attacker can make a request look routine: a login page, an MFA push, an OAuth consent screen, a password reset, or a support interaction. MFA fatigue works because repeated prompts create decision fatigue, and users learn to approve first and verify later. The real weakness is not the second factor itself; it is the lack of contextual checks around the approval event.

Current guidance suggests reducing reliance on push-only approval and moving toward phishing-resistant methods, stronger transaction binding, and policy checks that evaluate the request at the moment it is made. That is especially important where session tokens and API credentials can be replayed outside the original device or browser. The 52 NHI Breaches Analysis shows how compromised identities often become the entry point for broader abuse, and the Ultimate Guide to NHIs — Why NHI Security Matters Now explains why identity trust is now a primary control plane, not a background service.

  • Use phishing-resistant MFA where possible, especially for admins and remote access.
  • Require device, location, and risk-based checks before approving sensitive sessions.
  • Limit repeated push prompts and alert on approval bursts or unusual time patterns.
  • Treat helpdesk resets, OAuth consent, and token issuance as privileged events.
  • Log and correlate approval events with downstream activity, not just login success.

These controls tend to break down when legacy applications, shared admin accounts, or unsupported MFA methods force teams back to push approvals and manual exceptions.

Common Variations and Edge Cases

Tighter authentication controls often increase friction, so organisations must balance user convenience against the risk of false approvals and support overhead. That tradeoff becomes sharper in high-change environments where contractors, executives, or incident responders need rapid access and are more likely to override normal behaviour.

There is no universal standard for this yet, but current guidance suggests three edge cases deserve special treatment. First, service desks and break-glass accounts need separate approval logic because attackers frequently target recovery flows when direct login is blocked. Second, mobile-first workforces can face prompt fatigue faster than desktop users, which makes number matching, device binding, and token binding more valuable than raw prompt volume. Third, AI-assisted social engineering is raising the quality of lure content and timing, which makes behavioural detection more important than message filtering alone. The CoPhish OAuth Token Theft via Copilot Studio case illustrates how modern phishing now reaches beyond email into consent and token flows, while Anthropic’s first AI-orchestrated cyber espionage campaign report shows how automation can scale deception and operator efficiency.

At a practical level, the control objective is simple: make it hard to turn one human mistake into a durable authenticated session.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-04Phishing often leads to stolen sessions and abused credentials.
OWASP Agentic AI Top 10A-02Agentic abuse often begins with consent, prompt, or approval manipulation.
CSA MAESTROIAM-02Covers trust decisions for autonomous and semi-autonomous digital actors.
NIST AI RMFAI RMF addresses human oversight and trustworthy system behavior.
NIST CSF 2.0PR.AA-1Authentication assurance and verification underpin secure access decisions.

Reduce token replay risk with short-lived secrets, scoped access, and continuous verification.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org