Detect Multi-Factor Authentication Request Generation in Google Chronicle
This detection identifies MFA fatigue attacks where adversaries possessing valid credentials repeatedly trigger MFA push notifications, SMS codes, or phone calls to overwhelm target users into approving fraudulent authentication requests. The detection monitors Azure AD and identity provider sign-in logs for abnormally high volumes of MFA challenge events against a single account within a short time window, with elevated severity when a successful authentication follows the bombardment — a pattern consistent with documented TTPs from APT29, Scattered Spider, and LAPSUS$. The technique may also abuse Self-Service Password Reset (SSPR) flows to generate MFA requests without initially possessing valid credentials.
MITRE ATT&CK
- Tactic
- Credential Access
- Canonical reference
- https://attack.mitre.org/techniques/T1621/
YARA-L Detection Query
rule detect_mfa_fatigue {
meta:
author = "Argus"
description = "Detects MFA fatigue attacks via repeated failed MFA prompts"
severity = "HIGH"
technique = "T1621"
events:
$e.metadata.event_type = "USER_LOGIN"
$e.metadata.product_name = "Microsoft Azure Active Directory"
$e.security_result.action = "BLOCK"
re.regex($e.security_result.description, `MFA|multi-factor|50074|50076|50158`) nocase
match:
$e.principal.user.userid over 1h
condition:
#e > 5
}Google Chronicle YARA-L 2.0 rule for T1621 detection using UDM event types and field matching. Detects MFA fatigue attacks by aggregating Azure AD sign-in failures with MFA interrupt error codes
Data Sources
Required Tables
False Positives & Tuning
- Users with intermittent network connectivity who retry authentication multiple times legitimately, generating repeated MFA prompts without adversarial intent
- Conditional Access policies configured to always require MFA on every request (rather than session-based) can generate high volumes of 50076 events for normal users
- Automated service accounts or scripts using interactive auth flows that repeatedly fail MFA challenge — these should use device-based or certificate auth instead
- IT administrators testing MFA policies, running phishing simulation exercises, or conducting MFA enrollment drives that generate burst MFA events for multiple accounts
Other platforms for T1621
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MFA Fatigue via Python MSAL Repeated Authentication Requests
Expected signal: Azure AD SigninLogs generates 10 entries for [email protected] with ResultType 50076 or 50158 within a 60-second window, all from the test machine's egress IP. If user approves, a ResultType 0 entry appears.
- Test 2MFA Bombardment via Azure AD Token Endpoint curl Loop
Expected signal: Azure AD SigninLogs shows 10 entries for [email protected] with ResultType 50076 or 500121, all with identical IPAddress (test machine egress IP), within 30 seconds. UserAgent field shows curl version string.
- Test 3Okta MFA Bombing via Okta Authentication API
Expected signal: Okta System Log generates policy.auth.mfa.push.sent events for [email protected], 8 events within 40 seconds. In Splunk: sourcetype=okta:im2:log eventType=policy.auth.mfa.push.sent target{}[email protected]
References (6)
- https://attack.mitre.org/techniques/T1621/
- https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf
- https://www.obsidiansecurity.com/blog/account-takeover-through-sspr-abuse/
- https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access
- https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/
- https://www.microsoft.com/en-us/security/blog/2022/10/25/microsoft-mitigates-lapsus-attacks-via-mfa-policy/
Unlock Pro Content
Get the full detection package for T1621 including response playbook, investigation guide, and atomic red team tests.