[NVQXE23I]

I never use Office 365, but how this fatigue attack work? If I have my phone lying on my desk and I am not doing anything with Office 365, wouldn't it be very strange that I receive a request to authorize a login?

I would call the Helpdesk, like I am instructed. Or do people just get annoyed and click "Authorize" eventually?

[j0057]

It's a security decision made consciously or less consciously by you the user, so it won't be 100% accurate like a hardware U2F key would be. There was recently a story about a Dutch government employee who leaked his password and erroneously approved the MFA pop-up when the white hat hacker tried to log in.