T1621 IBM QRadar · QRadar

Detect Multi-Factor Authentication Request Generation in IBM QRadar

This detection identifies MFA fatigue attacks where adversaries possessing valid credentials repeatedly trigger MFA push notifications, SMS codes, or phone calls to overwhelm target users into approving fraudulent authentication requests. The detection monitors Azure AD and identity provider sign-in logs for abnormally high volumes of MFA challenge events against a single account within a short time window, with elevated severity when a successful authentication follows the bombardment — a pattern consistent with documented TTPs from APT29, Scattered Spider, and LAPSUS$. The technique may also abuse Self-Service Password Reset (SSPR) flows to generate MFA requests without initially possessing valid credentials.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1621 Multi-Factor Authentication Request Generation
Canonical reference
https://attack.mitre.org/techniques/T1621/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT username as "Username", sourceip as "SourceIP", devicetime as "EventTime", UTF8(payload) as "EventDetails", count(*) as "FailureCount", CASE WHEN count(*) > 20 THEN 95 WHEN count(*) > 10 THEN 80 WHEN count(*) > 5 THEN 65 ELSE 40 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Azure Active Directory', 'Okta', 'Duo Security') AND (eventid IN (50074, 50076, 50158, 65001) OR UTF8(payload) ILIKE '%MFA%' AND UTF8(payload) ILIKE '%fail%') GROUP BY username, sourceip HAVING count(*) > 5 ORDER BY "RiskScore" DESC LAST 1 HOURS
high severity high confidence

IBM QRadar AQL translation of the T1621 detection. Uses SQL-like syntax with risk scoring. Detects MFA fatigue attacks by aggregating Azure AD sign-in failures with MFA interrupt error codes

Data Sources

Microsoft Azure Active DirectoryOktaDuo Security

Required Tables

events

False Positives & Tuning

  • Users with intermittent network connectivity who retry authentication multiple times legitimately, generating repeated MFA prompts without adversarial intent
  • Conditional Access policies configured to always require MFA on every request (rather than session-based) can generate high volumes of 50076 events for normal users
  • Automated service accounts or scripts using interactive auth flows that repeatedly fail MFA challenge — these should use device-based or certificate auth instead
  • IT administrators testing MFA policies, running phishing simulation exercises, or conducting MFA enrollment drives that generate burst MFA events for multiple accounts
Download portable Sigma rule (.yml)

Other platforms for T1621

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MFA Fatigue via Python MSAL Repeated Authentication Requests

    Expected signal: Azure AD SigninLogs generates 10 entries for [email protected] with ResultType 50076 or 50158 within a 60-second window, all from the test machine's egress IP. If user approves, a ResultType 0 entry appears.

  2. Test 2MFA Bombardment via Azure AD Token Endpoint curl Loop

    Expected signal: Azure AD SigninLogs shows 10 entries for [email protected] with ResultType 50076 or 500121, all with identical IPAddress (test machine egress IP), within 30 seconds. UserAgent field shows curl version string.

  3. Test 3Okta MFA Bombing via Okta Authentication API

    Expected signal: Okta System Log generates policy.auth.mfa.push.sent events for [email protected], 8 events within 40 seconds. In Splunk: sourcetype=okta:im2:log eventType=policy.auth.mfa.push.sent target{}[email protected]

Last updated: 2026-03-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1621 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078Valid AccountsT1110.001Password GuessingT1556.003Pluggable Authentication ModulesT1539Steal Web Session CookieT1557Adversary-in-the-MiddleT1598.002Spearphishing Attachment

Same Tactic: Credential Access

Popular Detections