Push bombing and MFA fatigue has been the hottest security topic in the recent times and attackers have found a way to circumvent the security provided by Push MFA using a script or a bot to trigger multiple login attempts with resulting in a stream of multiple push notifications to the user’s mobile device hoping user will accidentally approve the login attempt. Here are some good practices you can adopt to reduce the risks:
1. Enforce a stronger password policy. Attacker have user's password
2. Enable account lock-out for multiple failed login attempts.
3. Turn on mobile biometric as additional factor for Push MFA.
4. Use conditional access policy to allow user logging from a specific country or from a known IP.
5. Educate your users to check application or location information. Note: it may not be always available.