T1111 Sumo Logic CSE · Sumo

Detect Multi-Factor Authentication Interception in Sumo Logic CSE

Adversaries may target multi-factor authentication (MFA) mechanisms to intercept authentication factors including smart card PINs, hardware token codes (RSA SecurID), SMS-based one-time passwords, and app-based push notifications. Interception methods include keylogging to capture smart card PINs or TOTP codes, SMS hijacking via SIM swapping or compromised messaging service providers, MFA prompt bombing (fatigue attacks sending repeated push notifications until the user approves), and adversary-in-the-middle (AiTM) phishing frameworks that relay credentials and capture session tokens post-MFA. Nation-state groups including Kimsuky (proprietary OTP interception tool), APT42 (cloned websites capturing MFA tokens), and Chimera (registering adversary phone numbers on compromised accounts) have employed these techniques. Criminal group LAPSUS$ operationalized MFA fatigue at scale against major technology firms, achieving access by sending repeated Authenticator push notifications until users approved out of confusion or frustration.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1111 Multi-Factor Authentication Interception
Canonical reference
https://attack.mitre.org/techniques/T1111/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=azure/aad/signin OR _sourceCategory=azure/signinlogs OR _sourceCategory=okta/events)
| json field=_raw "userPrincipalName" as user nodrop
| json field=_raw "resultType" as result_type nodrop
| json field=_raw "authenticationRequirement" as auth_req nodrop
| json field=_raw "ipAddress" as src_ip nodrop
| json field=_raw "appDisplayName" as app_name nodrop
| json field=_raw "authenticationDetails[0].authenticationMethod" as mfa_method nodrop
| where auth_req = "multiFactorAuthentication"
  OR mfa_method in ("PhoneAppNotification", "PhoneAppOTP", "OneWaySMS", "TwoWayVoiceMobile", "HardwareToken")
| eval is_failure = if(result_type != "0", 1, 0)
| eval is_success = if(result_type = "0", 1, 0)
| timeslice 30m
| stats
    sum(is_failure) as failed_mfa_count,
    sum(is_success) as success_mfa_count,
    dcount(src_ip) as unique_source_ips,
    values(src_ip) as source_ips,
    values(mfa_method) as mfa_methods,
    values(app_name) as targeted_apps,
    min(_messageTime) as first_attempt_epoch,
    max(_messageTime) as last_event_epoch
    by _timeslice, user
| where failed_mfa_count >= 5 and success_mfa_count >= 1
| eval fatigue_ratio_pct = round(failed_mfa_count * 100 / (failed_mfa_count + success_mfa_count), 1)
| eval window_duration_min = round((last_event_epoch - first_attempt_epoch) / 60000, 1)
| fields _timeslice, user, failed_mfa_count, success_mfa_count, fatigue_ratio_pct, window_duration_min, unique_source_ips, source_ips, mfa_methods, targeted_apps
| sort by failed_mfa_count desc
high severity high confidence

Detects MFA fatigue attacks in Sumo Logic by parsing Azure AD or Okta sign-in log JSON, filtering for multi-factor authentication events, and aggregating into 30-minute timeslices per user. Identifies sessions where 5 or more MFA failures co-occur with at least one success. Outputs a fatigue ratio percentage and window duration to help analysts assess severity and distinguish fatigue from transient connectivity issues.

Data Sources

Azure AD Sign-In Logs via Sumo Logic Azure sourceOkta System Log via Sumo Logic Okta sourceMicrosoft 365 Cloud-to-Cloud source

Required Tables

azure/aad/signinazure/signinlogsokta/events

False Positives & Tuning

  • New employees completing MFA enrollment who accidentally trigger multiple push notifications before understanding the accept/deny flow in the authenticator app
  • Users traveling internationally whose push notifications arrive out of order or are delayed due to roaming connectivity, causing them to re-request and approve multiple prompts
  • Automated provisioning pipelines using MFA-enabled service accounts that implement aggressive retry logic on transient Azure AD throttling responses
Download portable Sigma rule (.yml)

Other platforms for T1111

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MFA Fatigue Simulation via Repeated MSAL Authentication Requests

    Expected signal: Azure AD Sign-In Logs (AADSignInLogs): 10 entries for the test account — each with ResultType indicating MFA prompt sent or denied, AuthenticationRequirement=multiFactorAuthentication, AuthenticationMethodsUsed=PhoneAppNotification. Events appear within a 3-5 minute window, all from the same source IP (the test machine). If any prompt is approved, a success event (ResultType=0) also appears.

  2. Test 2Smart Card API Enumeration via Custom Process

    Expected signal: Sysmon Event ID 1 (Process Create): scard_probe.exe spawned from powershell.exe with the compilation command in ParentCommandLine. Sysmon Event ID 7 (Image Load): scard_probe.exe loading C:\Windows\System32\winscard.dll — InitiatingProcessFileName=scard_probe.exe is not in the allowlist of expected winscard.dll callers. Sysmon Event ID 11 (File Create): scard_probe.exe written to %TEMP%.

  3. Test 3OTP Keylogger via Low-Level Keyboard Hook Installation

    Expected signal: Sysmon Event ID 1 (Process Create): PowerShell with command line containing SetWindowsHookEx, WH_KEYBOARD_LL references — triggers on process create. Windows Security Event ID 4688 (if command-line audit enabled). PowerShell ScriptBlock Log Event ID 4104 captures the full hook installation code. Behavior-based EDR (CrowdStrike, Defender, SentinelOne) should generate a keyboard hook behavioral alert for the WH_KEYBOARD_LL hook type.

  4. Test 4Adversary MFA Phone Number Registration via Microsoft Graph API

    Expected signal: Azure AD Audit Logs (AuditLogs table in Sentinel / azure:aad:audit in Splunk): OperationName='List user authentication methods' — the enumeration creates an audit event. If the write command is executed (in authorized lab only): OperationName='User registered security info' or 'Add user StrongAuthenticationMethod' with the new phone number value in TargetResources[0].modifiedProperties. Both events include the actor's IP address and UPN.

Last updated: 2026-04-18 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1111 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1621Multi-Factor Authentication Request GenerationT1557Adversary-in-the-MiddleT1056.001KeyloggingT1539Steal Web Session CookieT1556.006Multi-Factor AuthenticationT1078Valid AccountsT1566.002Spearphishing LinkT1110.001Password GuessingT1098.005Device Registration

Same Tactic: Credential Access

Popular Detections