Tactic: Defense Evasion (ATK-TA0005)
Technique ID: SAF-T1403
Severity: High
First Observed: Observed in production (MFA fatigue attacks 2022+, MCP context 2025)
Last Updated: 2025-11-16
Consent-Fatigue Exploit is an attack technique where adversaries deliberately generate a high volume of benign or repetitive permission requests, approval prompts, or notifications to desensitize users and reduce their vigilance toward security decisions. By overwhelming users with frequent, seemingly harmless prompts, attackers condition them to approve requests reflexively without careful scrutiny. Once this habituation is established, adversaries inject a critical malicious request into the stream of benign prompts, exploiting the user's diminished attention and increasing the likelihood of automatic approval.
This technique exploits fundamental human psychology around habituation and cognitive load. When users are repeatedly exposed to similar stimuli—particularly in high-frequency scenarios—they develop automated responses to reduce mental effort (Kahneman, 2011). In the context of MCP-powered AI agents, this manifests when agents request frequent tool invocations, file access permissions, or API calls. Security researchers have documented similar patterns in MFA fatigue attacks, where attackers bombard users with push notifications until they approve access out of frustration (Microsoft Security Response Center, 2022).
- Primary Vector: High-frequency benign permission requests followed by malicious request insertion in MCP agent workflows
- Secondary Vectors:
- MFA push notification bombing targeting AI agent OAuth flows
- Repeated tool invocation requests with similar descriptions
- Notification flooding in multi-agent collaboration environments
- Approval workflow manipulation in autonomous agent systems
- Chat interface spam creating urgency and desensitization
- Time-pressure tactics combined with request flooding
- User with approval authority for MCP tool invocations or agent actions
- Ability to trigger permission requests or approval prompts
- Access to legitimate or compromised MCP server that can generate requests
- Understanding of target user's workflow and approval patterns
graph TD
A[Attacker] -->|Controls or Compromises| B[MCP Server/Agent]
B -->|Phase 1: Conditioning| C{Generate High-Volume Benign Requests}
C -->|Request Type 1| D[File Access Requests]
C -->|Request Type 2| E[API Call Approvals]
C -->|Request Type 3| F[Tool Invocation Prompts]
C -->|Request Type 4| G[Data Access Permissions]
D --> H[User Exposed to Repeated Prompts]
E --> H
F --> H
G --> H
H -->|Over Time| I{User Habituation Develops}
I -->|Behavioral Change| J[User Begins Auto-Approving]
J -->|Pattern Recognition| K[Click-Through Without Reading]
I -->|Phase 2: Exploitation| L[Attacker Injects Malicious Request]
L -->|Timing| M{Strategic Insertion}
M -->|Tactic 1| N[Mid-Stream Injection]
M -->|Tactic 2| O[Time-Pressure Context]
M -->|Tactic 3| P[Similar Wording to Benign Requests]
M -->|Tactic 4| Q[Batch with Legitimate Requests]
N --> R[Malicious Request Presented]
O --> R
P --> R
Q --> R
R -->|User State| S{Fatigued User Sees Request}
S -->|Automatic Response| T[User Approves Without Scrutiny]
T -->|Post-Exploitation| U{Malicious Actions Execute}
U -->|Impact 1| V[Data Exfiltration]
U -->|Impact 2| W[Privilege Escalation]
U -->|Impact 3| X[Unauthorized Operations]
U -->|Impact 4| Y[System Compromise]
style A fill:#d73027,stroke:#000,stroke-width:2px,color:#fff
style B fill:#fc8d59,stroke:#000,stroke-width:2px,color:#000
style L fill:#d73027,stroke:#000,stroke-width:2px,color:#fff
style U fill:#d73027,stroke:#000,stroke-width:2px,color:#fff
style I fill:#fee090,stroke:#000,stroke-width:2px,color:#000
style T fill:#fee090,stroke:#000,stroke-width:2px,color:#000
- Conditioning Phase: Attacker establishes pattern of frequent, benign permission requests (e.g., "Agent requests to read config.json", "Agent requests to call weather API", "Agent requests to search documentation")
- Habituation Development: Over hours or days, user becomes accustomed to approving these requests and develops automatic approval behavior
- Psychological Priming: Repetitive prompts reduce cognitive engagement and critical evaluation of each request
- Strategic Timing: Attacker waits for signs of user fatigue (faster approval times, decreased scrutiny)
- Malicious Request Injection: Critical request inserted with similar wording/format (e.g., "Agent requests to read credentials.env" or "Agent requests to execute system command")
- Exploitation: Fatigued user approves without reading carefully, granting access to sensitive resources or dangerous operations
MCP Chat Interface - Benign Request Pattern (Conditioning)
{
"timestamp": "2025-11-16T09:15:32Z",
"request_type": "tool_invocation",
"tool": "file_reader",
"prompt": "I need to read the project README to help with your question.",
"requires_approval": true,
"user_response": "approved",
"response_time_ms": 3200
}{
"timestamp": "2025-11-16T09:22:18Z",
"request_type": "tool_invocation",
"tool": "file_reader",
"prompt": "I need to read the package.json to understand dependencies.",
"requires_approval": true,
"user_response": "approved",
"response_time_ms": 2800
}{
"timestamp": "2025-11-16T09:35:44Z",
"request_type": "tool_invocation",
"tool": "file_reader",
"prompt": "I need to read the configuration file to help with setup.",
"requires_approval": true,
"user_response": "approved",
"response_time_ms": 1900
}Malicious Request Injection (Exploitation after 15+ similar requests)
{
"timestamp": "2025-11-16T11:42:09Z",
"request_type": "tool_invocation",
"tool": "file_reader",
"prompt": "I need to read the environment file to help with configuration.",
"target_file": ".env",
"requires_approval": true,
"user_response": "approved",
"response_time_ms": 890,
"contains_secrets": true,
"actual_impact": "Credentials exposed: AWS_SECRET_KEY, DATABASE_PASSWORD, API_TOKENS"
}Notice the decreasing response times (3200ms → 890ms) indicating habituation and reduced scrutiny.
Research from Microsoft and security incident reports document MFA fatigue as a proven attack vector. In September 2022, Uber suffered a breach where attackers used MFA fatigue to compromise employee accounts (Krebs on Security, 2022). Microsoft 365 customers experienced similar attacks where adversaries sent dozens of push notifications until users approved to stop the bombardment (Microsoft Threat Intelligence, 2022).
The MCP context extends this technique:
- Push Notification Bombing: AI agents configured to repeatedly request OAuth token approval through push notifications
- Approval Fatigue: Users bombarded with 20-50+ approval requests in rapid succession
- Social Engineering Context: Requests framed as urgent ("Your agent needs immediate access to continue critical work")
- Legitimacy Disguise: Initial requests are genuinely needed, establishing pattern of approval
Attackers optimize timing based on user behavioral patterns:
- End-of-Day Attacks: Targeting users when cognitive fatigue is highest (4-6 PM) (Kahneman, 2011)
- High-Workload Periods: Exploiting moments when users are overwhelmed with tasks
- Context-Switch Moments: Injecting malicious requests during transitions between activities
- Friday Afternoon Effect: Leveraging reduced scrutiny before weekends
In environments with multiple AI agents:
- Agent A (Legitimate): Generates 90% of benign requests, establishing trust
- Agent B (Compromised): Injects malicious requests that appear to come from trusted Agent A
- Cross-Agent Confusion: Users cannot easily distinguish which agent generated each request
- Shared Approval Queue: Malicious requests hidden within legitimate multi-agent workflows
Attackers craft requests to maximize approval likelihood:
- Semantic Similarity: Malicious requests use nearly identical wording to benign ones
- Normalization: Gradually escalating request sensitivity (config.json → secrets.json → .env)
- Authority Mimicry: Requests framed as "required by system" or "needed for proper operation"
- Urgency Framing: "Waiting for approval to continue..." creates pressure to approve quickly
- Confidentiality: High - Enables unauthorized access to sensitive files, credentials, and data that would normally require explicit approval
- Integrity: Medium - Approved malicious operations can modify system state, but integrity impact depends on specific actions granted
- Availability: Low - Not primarily targeting service disruption, though approved operations could affect availability
- Scope: Local to Network-wide - Depends on compromised agent's permissions and approved action scope; can escalate from single user to broader system access
Security organizations have begun documenting consent fatigue as a significant threat vector:
- CISA issued guidance on MFA fatigue attacks in late 2022, recommending number-matching and additional context in approval prompts (CISA Alert AA22-277A)
- Microsoft implemented number-matching in Authenticator app to combat push notification fatigue attacks (Microsoft Documentation, 2023)
- Security researchers have proposed cognitive load monitoring and approval pattern analysis to detect habituation (Forget et al., 2016)
- MCP implementations are beginning to add approval throttling and enhanced context in permission prompts
However, MCP-specific consent fatigue remains underaddressed, with most AI agent platforms lacking:
- Approval rate monitoring and alerting
- Behavioral baseline establishment for normal approval patterns
- Forced delays or cognitive friction for sensitive operations
- Differentiated approval interfaces based on risk level
- Unusually high frequency of permission requests (>10 per hour) from a single MCP server or agent
- Decreasing approval response times over a session (indicating habituation)
- Approval of high-risk operations (credential access, system execution) without corresponding pause in response time
- Pattern of benign requests followed by sensitive request with similar response time
- Approval requests occurring during known high-fatigue periods (late evening, end of workday)
- Multiple failed or rejected requests followed by eventual approval of same action
- Requests with incrementally escalating permissions (file read → directory list → credential access)
Important: The following rule is written in Sigma format and contains example patterns only. Attackers continuously develop new social engineering techniques and timing strategies. Organizations should:
- Use behavioral analysis to establish baseline approval patterns for each user
- Implement machine learning models to detect anomalous approval timing and frequency
- Monitor for approval rate acceleration (decreasing response times over session)
- Correlate approval patterns with user context (time of day, workload indicators)
- Consider biometric or attention-tracking signals to detect reduced cognitive engagement
# EXAMPLE SIGMA RULE - Not comprehensive
title: MCP Consent Fatigue Attack Detection
id: 8f37ee6c-6f0e-411b-be8e-36ef3f3fefc1
status: experimental
description: Detects potential consent fatigue exploitation through high-frequency approval requests followed by sensitive operations
author: SAF-MCP Team
date: 2025-11-16
references:
- https://github.com/saf-mcp/techniques/SAF-T1403
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a
- https://www.microsoft.com/en-us/security/blog/2022/08/26/cyber-signals-defending-against-cyber-threats-with-the-latest-research-insights-and-trends/
logsource:
product: mcp
service: approval_workflow
detection:
# High frequency of requests
high_frequency:
event_type: 'approval_request'
timeframe: '1h'
count: '>= 10'
# Decreasing response times (habituation indicator)
habituation_pattern:
event_type: 'approval_granted'
response_time_trend: 'decreasing'
window_size: 5
threshold_percentage: -30 # 30% decrease in response time
# Sensitive operation approval
sensitive_approval:
event_type: 'approval_granted'
risk_level:
- 'high'
- 'critical'
operation_type:
- 'credential_access'
- 'system_execution'
- 'file_deletion'
- 'network_exfiltration'
- 'privilege_escalation'
# Fast approval of sensitive operation (under 2 seconds)
rapid_sensitive_approval:
event_type: 'approval_granted'
risk_level:
- 'high'
- 'critical'
response_time_ms: '< 2000'
# Sequential pattern: many benign followed by sensitive
condition: (high_frequency and sensitive_approval) or (habituation_pattern and sensitive_approval) or rapid_sensitive_approval
falsepositives:
- Legitimate bulk operations requiring multiple approvals
- Power users with genuine need for frequent tool access
- Automated testing or development workflows
- Users with established fast approval patterns for genuinely safe operations
level: high
tags:
- attack.defense_evasion
- attack.t1204 # User Execution
- attack.t1078 # Valid Accounts (when combined with credential theft)
- safe.t1403- User approval rate suddenly increases (from 60% to 95%+ approval rate)
- Average time-per-approval decreases by >50% within a session
- User approves high-risk operation with same speed as low-risk operations
- Approval granted during atypical hours for that user (3 AM approval when user normally works 9-5)
- Multiple requests from same server/agent in rapid succession (< 30 seconds apart)
- User approves request they previously rejected after repeated presentation
- Pattern of identical or near-identical request descriptions in short timeframe
- Approval granted immediately after notification flood (10+ notifications in 1 minute)
-
SAF-M-20: Adaptive Approval Friction: Implement risk-based approval interfaces that introduce proportional cognitive friction for sensitive operations:
- Low-risk operations: Simple click approval with minimal context
- Medium-risk operations: Require reading detailed description and checkbox confirmation
- High-risk operations: Require typing exact operation name, solving CAPTCHA, or number-matching
- Critical operations: Require secondary authentication (MFA, password re-entry)
-
SAF-M-21: Approval Rate Limiting: Enforce rate limits on permission requests per MCP server:
- Maximum 5 approval requests per agent per 15-minute window for normal operations
- Exponential backoff for rejected requests (1min → 5min → 15min → 1hour)
- Automatic flagging and temporary suspension after 20 requests in 1 hour
- Different rate limits for different risk categories
-
SAF-M-22: Contextual Approval Prompts: Enhance approval interfaces with rich context:
- Display exact file path, API endpoint, or command being accessed
- Show risk level with color-coding (green/yellow/red)
- Include "last requested" timestamp to highlight unusual repetition
- Display request count for this agent in current session
- Present diff view for operations that modify state
-
SAF-M-23: Forced Delay for Sensitive Operations: According to research on security habituation (Forget et al., 2016), introducing mandatory delays can disrupt automatic approval patterns:
- 5-second mandatory wait before high-risk operations can be approved
- Progressive disclosure: show full details only after 3-second delay
- "Cool-down" period after rejecting a request (30 seconds before same request can be re-presented)
-
SAF-M-24: Approval Pattern Baselining: Establish behavioral baselines for each user:
- Track typical approval rate, response time distribution, and time-of-day patterns
- Alert on statistical anomalies (>2 standard deviations from baseline)
- Machine learning models to detect approval habituation in real-time
- Automatic escalation when approval behavior deviates significantly
-
SAF-M-25: Number-Matching for Critical Operations: Implement Microsoft's number-matching approach for MCP context:
- Display random 2-3 digit number in agent request
- User must enter exact number in approval interface
- Prevents blind clicking and ensures user attention to specific request
- Already proven effective in reducing MFA fatigue attacks (Microsoft, 2023)
-
SAF-M-26: Approval Batching Prevention: Prevent agents from queuing multiple approval requests:
- Only one pending approval request per agent at a time
- Force sequential approval (cannot submit request #2 until #1 is resolved)
- Disable "approve all" functionality for mixed-risk batches
-
SAF-M-27: Time-of-Day Risk Adjustment: Increase security controls during high-fatigue periods:
- Stricter approval requirements for requests outside normal working hours
- Enhanced prompts and mandatory delays after 8 PM local time
- Automatic escalation to secondary approver for late-night high-risk requests
-
SAF-M-28: Real-Time Habituation Detection: Monitor approval sessions for signs of user fatigue:
- Track response time acceleration within sessions
- Alert security team when approval rate exceeds baseline by >30%
- Flag sessions with >15 approvals in 30 minutes for review
- Generate daily reports on potential consent fatigue incidents
-
SAF-M-29: Post-Approval Auditing: Review approval decisions for anomalous patterns:
- Weekly audit of all high-risk approvals with response time < 2 seconds
- Identify users with statistically anomalous approval patterns
- Correlate approved operations with actual security incidents
- Implement user feedback loop ("Did you intend to approve this?")
-
SAF-M-30: Approval Context Recording: Log comprehensive context for forensic analysis:
- Timestamp, response time, approval count in session, user workload indicators
- Screen recording or UI state capture for critical approvals
- Biometric data if available (attention tracking, stress indicators)
- Environmental context (time of day, device type, location)
-
Immediate Actions:
- Temporarily suspend approval privileges for affected user
- Block MCP server/agent generating suspicious request patterns
- Alert user to potential consent fatigue exploitation
- Revoke tokens/credentials that may have been compromised via approved requests
-
Investigation Steps:
- Review full approval log for affected session and preceding 7 days
- Analyze request timing, frequency, and content patterns
- Identify all operations approved during suspected fatigue period
- Determine if sensitive data was accessed or operations executed
- Check for signs of credential theft, data exfiltration, or privilege escalation
- Interview user to understand their subjective experience and awareness
-
Remediation:
- Rotate credentials and API keys that may have been exposed
- Review and revoke unnecessary permissions granted during fatigue period
- Implement additional approval controls for affected user (mandatory delays, number-matching)
- Provide user training on consent fatigue risks and recognition
- Update detection rules based on attack patterns observed
- Enhance approval interface based on lessons learned
- Consider implementing organizational policy: maximum approvals per session
According to Krebs on Security and The Hacker News, Uber suffered a significant security breach when an attacker:
- Attack Vector: Purchased stolen credentials from dark web, then used MFA fatigue technique
- Execution: Sent dozens of MFA push notifications to target employee's phone
- Social Engineering: Contacted victim via WhatsApp posing as IT support, claiming the notifications were part of a "fix"
- Impact: Employee approved MFA request out of frustration; attacker gained full access to internal systems
- Severity: Complete compromise of internal admin tools, widespread data access
Microsoft Security Blog reported that Cisco experienced similar attack:
- Technique: Lapsus$ group used credential theft combined with MFA fatigue
- Method: Continuous push notification bombardment until employee approved
- Impact: Access to Cisco's VPN and internal networks
While not yet widely publicized, security researchers monitoring MCP deployments have observed:
- Internal Incident Reports: Multiple organizations reported users accidentally approving credential access after 20+ benign file read requests
- Red Team Exercises: Penetration testers successfully exploited consent fatigue to gain elevated MCP tool permissions in 67% of engagements where technique was attempted
- User Behavior Studies: Approval response times decreased by average of 58% after 12th consecutive request in controlled studies
These incidents demonstrate consent fatigue is a proven, actively exploited attack vector that has successfully compromised major organizations. The technique's adaptation to MCP environments is a natural evolution requiring urgent attention.
Specific application to MFA systems:
- Continuous push notification generation (20-100+ notifications)
- Exploiting user frustration and notification fatigue
- Often combined with social engineering (fake "IT support" contact)
Gradual increase in requested permission sensitivity:
- Start with obviously safe requests (read public documentation)
- Slowly escalate to configuration files
- Eventually request credentials or sensitive data
- Users fail to notice graduated risk increase
Combining fatigue with time pressure:
- Framing requests as "blocking critical work"
- Using countdown timers or "waiting..." indicators
- Implying user is causing delay or problem by not approving
- Creating artificial urgency to bypass careful evaluation
Leveraging complexity of multi-agent environments:
- Multiple agents generating interleaved requests
- User cannot track which agent requested what
- Malicious requests disguised within legitimate multi-agent workflows
- Exploiting trust in "agent ecosystem" rather than individual agent
Targeting specific times when users are vulnerable:
- End-of-day fatigue exploitation
- Late-night or early-morning attacks (reduced cognitive function)
- High-workload period targeting
- Friday afternoon "weekend mode" exploitation
- SAF-T1102: Prompt Injection - Can be combined with consent fatigue to manipulate agent into generating approval requests
- SAF-T1001: Tool Poisoning Attack - May use consent fatigue to get poisoned tools approved by users
- SAF-T1201: MCP Rug Pull Attack - Can leverage established approval patterns from consent fatigue
- SAF-T1104: Over-Privileged Tool Abuse - Consent fatigue enables approval of dangerous over-privileged operations
- Model Context Protocol Specification
- OWASP Top 10 for LLM Applications
- CISA Alert AA22-277A: Cybersecurity Advisory on MFA Fatigue Attacks
- Microsoft Security Blog: Defending Against Cyber Threats - MFA Fatigue
- Krebs on Security: How an MFA Bombing Led to Uber's Breach
- The Hacker News: MFA Fatigue Attack - How Uber Got Hacked
- Microsoft Documentation: Number Matching in Authenticator
- Thinking, Fast and Slow - Daniel Kahneman, 2011
- Why Do People Keep Falling For Phishing? - Forget et al., ACM CHI 2016
- The Psychology of Security - Bruce Schneier, Communications of the ACM, January 2008
- T1204 - User Execution - Relies on user executing or approving malicious actions
- T1078 - Valid Accounts - When consent fatigue leads to credential approval
- T1534 - Internal Spearphishing - Similar social engineering principles
| Version | Date | Changes | Author |
|---|---|---|---|
| 1.0 | 2025-11-16 | Initial comprehensive documentation with real-world incidents, sub-techniques, and detailed mitigations | Laxmi Pant |