Detect Multi-Factor Authentication Interception in Microsoft Sentinel
Adversaries may target multi-factor authentication (MFA) mechanisms to intercept authentication factors including smart card PINs, hardware token codes (RSA SecurID), SMS-based one-time passwords, and app-based push notifications. Interception methods include keylogging to capture smart card PINs or TOTP codes, SMS hijacking via SIM swapping or compromised messaging service providers, MFA prompt bombing (fatigue attacks sending repeated push notifications until the user approves), and adversary-in-the-middle (AiTM) phishing frameworks that relay credentials and capture session tokens post-MFA. Nation-state groups including Kimsuky (proprietary OTP interception tool), APT42 (cloned websites capturing MFA tokens), and Chimera (registering adversary phone numbers on compromised accounts) have employed these techniques. Criminal group LAPSUS$ operationalized MFA fatigue at scale against major technology firms, achieving access by sending repeated Authenticator push notifications until users approved out of confusion or frustration.
MITRE ATT&CK
- Tactic
- Credential Access
- Canonical reference
- https://attack.mitre.org/techniques/T1111/
KQL Detection Query
// Detection: MFA Fatigue / Prompt Bombing — multiple failed MFA prompts followed by success
let MfaFatigueWindow = 30min;
let MfaPromptThreshold = 5;
let FailedMfaEvents = AADSignInLogs
| where TimeGenerated > ago(24h)
| where ResultType != "0"
| where AuthenticationRequirement == "multiFactorAuthentication"
| where AuthenticationDetails has_any ("MFA", "PhoneAppNotification", "PhoneAppOTP", "OneWaySMS", "TwoWayVoiceMobile")
| project FailTime=TimeGenerated, UserPrincipalName, FailIP=IPAddress, FailLocation=Location;
let SuccessfulMfaEvents = AADSignInLogs
| where TimeGenerated > ago(24h)
| where ResultType == "0"
| where AuthenticationRequirement == "multiFactorAuthentication"
| project SuccessTime=TimeGenerated, UserPrincipalName, SuccessIP=IPAddress, AppDisplayName, SuccessLocation=Location, UserAgent;
FailedMfaEvents
| join kind=inner SuccessfulMfaEvents on UserPrincipalName
| where SuccessTime between (FailTime .. (FailTime + MfaFatigueWindow))
| summarize
FailCount = dcount(FailTime),
FirstFailTime = min(FailTime),
SuccessTime = max(SuccessTime),
FailSourceIPs = make_set(FailIP),
SuccessSourceIPs = make_set(SuccessIP),
TargetApps = make_set(AppDisplayName),
FailLocations = make_set(FailLocation)
by UserPrincipalName
| where FailCount >= MfaPromptThreshold
| extend TimeDeltaMinutes = datetime_diff('minute', SuccessTime, FirstFailTime)
| extend AlertType = "MFA Fatigue Attack"
| extend IPMismatch = set_difference(SuccessSourceIPs, FailSourceIPs) != dynamic([])
| project AlertType, UserPrincipalName, FailCount, TimeDeltaMinutes, FirstFailTime, SuccessTime,
FailSourceIPs, SuccessSourceIPs, IPMismatch, TargetApps, FailLocations
| sort by FailCount descDetects MFA fatigue (prompt bombing) attacks using Azure AD Sign-In Logs (AADSignInLogs). Identifies accounts with 5 or more failed MFA authentication attempts within a 30-minute window that are followed by a successful MFA authentication — a pattern consistent with LAPSUS$-style MFA harassment attacks. The IPMismatch field flags cases where the successful authentication came from a different IP than the failed attempts, which may indicate AiTM relay infrastructure. Requires Azure AD P1/P2 or Microsoft Entra ID sign-in log ingestion into Sentinel.
Data Sources
Required Tables
False Positives & Tuning
- Users with poor mobile connectivity who retry MFA push notifications multiple times due to notification delivery failures — particularly common in low-signal areas or when VPN is in use on the authenticator device
- Users who habitually dismiss MFA notifications accidentally before accepting them, especially with Microsoft Authenticator number matching where dismissal is a single tap away from approval
- Automated testing frameworks or CI/CD pipelines in non-production tenants that trigger interactive authentication flows repeatedly during integration tests
- Users traveling across Conditional Access geographic zones triggering multiple re-authentication challenges in rapid succession during transit
- Help desk password reset workflows where multiple MFA verification rounds occur during account recovery procedures
Other platforms for T1111
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MFA Fatigue Simulation via Repeated MSAL Authentication Requests
Expected signal: Azure AD Sign-In Logs (AADSignInLogs): 10 entries for the test account — each with ResultType indicating MFA prompt sent or denied, AuthenticationRequirement=multiFactorAuthentication, AuthenticationMethodsUsed=PhoneAppNotification. Events appear within a 3-5 minute window, all from the same source IP (the test machine). If any prompt is approved, a success event (ResultType=0) also appears.
- Test 2Smart Card API Enumeration via Custom Process
Expected signal: Sysmon Event ID 1 (Process Create): scard_probe.exe spawned from powershell.exe with the compilation command in ParentCommandLine. Sysmon Event ID 7 (Image Load): scard_probe.exe loading C:\Windows\System32\winscard.dll — InitiatingProcessFileName=scard_probe.exe is not in the allowlist of expected winscard.dll callers. Sysmon Event ID 11 (File Create): scard_probe.exe written to %TEMP%.
- Test 3OTP Keylogger via Low-Level Keyboard Hook Installation
Expected signal: Sysmon Event ID 1 (Process Create): PowerShell with command line containing SetWindowsHookEx, WH_KEYBOARD_LL references — triggers on process create. Windows Security Event ID 4688 (if command-line audit enabled). PowerShell ScriptBlock Log Event ID 4104 captures the full hook installation code. Behavior-based EDR (CrowdStrike, Defender, SentinelOne) should generate a keyboard hook behavioral alert for the WH_KEYBOARD_LL hook type.
- Test 4Adversary MFA Phone Number Registration via Microsoft Graph API
Expected signal: Azure AD Audit Logs (AuditLogs table in Sentinel / azure:aad:audit in Splunk): OperationName='List user authentication methods' — the enumeration creates an audit event. If the write command is executed (in authorized lab only): OperationName='User registered security info' or 'Add user StrongAuthenticationMethod' with the new phone number value in TargetResources[0].modifiedProperties. Both events include the actor's IP address and UPN.
References (12)
- https://attack.mitre.org/techniques/T1111/
- https://sec.okta.com/scatterswine
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.mandiant.com/resources/blog/apt42-charms-the-cyber-landscape
- https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-number-match
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadsigninlogs
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1111/T1111.md
- https://dl.mandiant.com/EE/assets/PDF_MTrends_2011.pdf
- https://www.nccgroup.com/uk/research-blog/chimera-unc2975-january-2021/
- https://docs.microsoft.com/en-us/graph/api/authentication-list-methods
Unlock Pro Content
Get the full detection package for T1111 including response playbook, investigation guide, and atomic red team tests.