THREAT-EntraID-MFAFatigue

Multi-Factor Authentication Fatigue (MFA Bombing) Attack

MFA fatigue (also called MFA bombing or push flooding) is a social engineering technique where an attacker who has obtained valid credentials uses repeated MFA push notifications to wear down the victim into approving an authentication request out of annoyance or confusion. Scattered Spider pioneered this at scale, compromising MGM Resorts, Caesars Entertainment, and numerous UK-based organisations. The attacker sends dozens of Authenticator app push notifications in rapid succession, sometimes at 3am to catch sleeping victims, until one is approved. Some variants include calling the victim while bombing, claiming to be IT support (vishing), and guiding them to approve the 'legitimate' request. NCSC and CISA issued a joint advisory on this technique in 2023. With valid M365 credentials available from password spray or phishing, MFA fatigue is the primary way Scattered Spider bypasses MFA.

Microsoft Sentinel / Defender

kusto

// THREAT: MFA Fatigue / MFA Bombing Detection
// Detects rapid repeated MFA requests for the same user — push flooding pattern
// Primary telemetry: Azure AD Sign-in logs, MFA request events

// Alert 1: High volume of MFA requests for single user in short window
let MFAFatigueThreshold = 5; // Number of MFA prompts within window
let MFAFatigueWindow = 10m;
AADSignInLogs
| where TimeGenerated > ago(24h)
| where AuthenticationDetails has "MFA" or AuthenticationRequirement =~ "multiFactorAuthentication"
| where Status.errorCode in (
    0,      // Success
    50074,  // StrongAuthenticationRequired
    50076,  // MFA required
    500121, // Authentication failed during strong auth
    500133  // User did not complete MFA
  )
| summarize
    MFAAttempts=count(),
    Approvals=countif(Status.errorCode == 0),
    Denials=countif(Status.errorCode == 500121),
    NoResponses=countif(Status.errorCode == 500133),
    IPs=make_set(IPAddress),
    Locations=make_set(Location),
    Apps=make_set(AppDisplayName)
  by UserPrincipalName, bin(TimeGenerated, MFAFatigueWindow)
| where MFAAttempts >= MFAFatigueThreshold
| extend FatiguePattern = (Denials > 3 and Approvals == 1) or (NoResponses > 4 and Approvals == 1)
| where MFAAttempts >= MFAFatigueThreshold
| extend ThreatType = "MFA_Fatigue_PushBombing"
| extend ThreatActors = "Scattered Spider, Lapsus$"
| sort by MFAAttempts desc;
// Alert 2: MFA approval following high failure rate (fatigue success indicator)
AADSignInLogs
| where TimeGenerated > ago(24h)
| where Status.errorCode == 0
| where AuthenticationRequirement =~ "multiFactorAuthentication"
| join kind=inner (
    AADSignInLogs
    | where TimeGenerated > ago(24h)
    | where Status.errorCode == 500133  // MFA not completed (prior denials/timeouts)
    | summarize PriorDenials=count() by UserPrincipalName
    | where PriorDenials >= 3
  ) on UserPrincipalName
| project TimeGenerated, UserPrincipalName, IPAddress, Location,
    AppDisplayName, PriorDenials
| extend ThreatType = "MFA_Fatigue_SuccessAfterDenials"

high severity high confidence

Data Sources

Azure AD Sign-In Logs (AADSignInLogs) Microsoft Authenticator logs Entra ID Identity Protection

Required Tables

AADSignInLogs

False Positives

Users with intermittent mobile connectivity who have multiple MFA push notifications queued and delivered in rapid succession
Automated system accounts or service principals that trigger MFA in rapid succession during batch processing
MFA enrollment flows that trigger multiple notifications during the enrollment wizard
Users testing their own MFA setup by repeatedly triggering and denying prompts

Elastic Security (EQL)

eql

// MFA Fatigue — Push Bombing Fatigue-Success Sequence
// Detects 3+ MFA failures/timeouts followed by approval for same user within 10m
sequence by azure.signinlogs.properties.user_principal_name with maxspan=10m
  [any where event.dataset == "azure.signinlogs"
   and azure.signinlogs.properties.authentication_requirement == "multiFactorAuthentication"
   and azure.signinlogs.properties.status.error_code in (500133, 500121, 50074, 50076)]
  [any where event.dataset == "azure.signinlogs"
   and azure.signinlogs.properties.authentication_requirement == "multiFactorAuthentication"
   and azure.signinlogs.properties.status.error_code in (500133, 500121, 50074, 50076)]
  [any where event.dataset == "azure.signinlogs"
   and azure.signinlogs.properties.authentication_requirement == "multiFactorAuthentication"
   and azure.signinlogs.properties.status.error_code in (500133, 500121, 50074, 50076)]
  [any where event.dataset == "azure.signinlogs"
   and azure.signinlogs.properties.authentication_requirement == "multiFactorAuthentication"
   and azure.signinlogs.properties.status.error_code == 0]

critical severity high confidence

Data Sources

Azure Active Directory Sign-in Logs via Elastic Azure integration (azure module) Entra ID Sign-in Logs forwarded via Azure Event Hub + Elastic Agent

Required Tables

logs-azure.signinlogs-* azure-logs-*

False Positives

Legitimate users experiencing genuine MFA app issues (TOTP clock drift, Authenticator app crash) who retry several times before successfully completing MFA after resolving the issue themselves
Automated CI/CD service principals or headless integration accounts with misconfigured MFA policies that accumulate timeout events before a manual intervention allows the workflow to proceed
Users who switch devices mid-authentication (e.g. start on laptop, switch to phone) causing multiple NO_RESPONSE timeout events before successfully approving on the second device

IBM QRadar (AQL)

sql

SELECT
    "username",
    COUNT(*) AS TotalMFAEvents,
    SUM(CASE WHEN "Azure AD Error Code" IN ('0') THEN 1 ELSE 0 END) AS Approvals,
    SUM(CASE WHEN "Azure AD Error Code" IN ('500121') THEN 1 ELSE 0 END) AS Denials,
    SUM(CASE WHEN "Azure AD Error Code" IN ('500133') THEN 1 ELSE 0 END) AS NoResponses,
    SUM(CASE WHEN "Azure AD Error Code" IN ('50074','50076') THEN 1 ELSE 0 END) AS OtherFailures,
    COUNT(DISTINCT SOURCEIP) AS UniqueSourceIPs,
    DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstAttempt,
    DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastAttempt,
    (SUM(CASE WHEN "Azure AD Error Code" IN ('500121','500133','50074','50076') THEN 1 ELSE 0 END)) AS TotalFailures
FROM events
WHERE
    LOGSOURCETYPEID IN (
        SELECT id FROM LOGSOURCETYPES
        WHERE name LIKE '%Azure Active Directory%'
           OR name LIKE '%Microsoft Azure AD%'
    )
    AND "Azure AD Authentication Requirement" = 'multiFactorAuthentication'
    AND "Azure AD Error Code" IN ('0','50074','50076','500121','500133')
    AND starttime > NOW() - 86400000
GROUP BY
    "username",
    FLOOR(LONG(starttime) / 600000)
HAVING
    TotalMFAEvents >= 5
    OR (Approvals >= 1 AND TotalFailures >= 3)
ORDER BY TotalMFAEvents DESC
LAST 1000 RESULTS

high severity medium confidence

Data Sources

Microsoft Azure Active Directory DSM (QRadar App Exchange) Microsoft Azure AD via Universal Cloud REST API protocol

Required Tables

events (QRadar event pipeline)

False Positives

Helpdesk-assisted account recovery sessions where IT staff trigger multiple MFA challenges while walking a user through a password reset or device enrolment procedure
MDM bulk-enrolment workflows for new device rollouts that generate repeated Conditional Access MFA prompts for the same user across multiple enrolment attempts
VPN concentrators or application proxies configured for silent re-authentication that retry MFA automatically on transient failures, creating artificial prompt bursts within the detection window

Sumo Logic CSE

sql

_sourceCategory=azure/signinlogs OR _sourceCategory=azure/aad/signin
| json field=_raw "properties.userPrincipalName" as user
| json field=_raw "properties.authenticationRequirement" as auth_req
| json field=_raw "properties.status.errorCode" as error_code
| json field=_raw "properties.ipAddress" as ip_address
| json field=_raw "properties.location" as location
| json field=_raw "properties.appDisplayName" as app_name
| where auth_req = "multiFactorAuthentication"
| where error_code in ("0", "50074", "50076", "500121", "500133")
| eval mfa_result = if(error_code = "0", "SUCCESS",
    if(error_code = "500121", "DENIED",
    if(error_code = "500133", "NO_RESPONSE", "PROMPTED")))
| timeslice 10m
| stats
    count AS TotalPrompts,
    countif(mfa_result = "SUCCESS") AS Approvals,
    countif(mfa_result = "DENIED") AS Denials,
    countif(mfa_result = "NO_RESPONSE") AS NoResponses,
    dcount(ip_address) AS UniqueSourceIPs,
    values(location) AS Locations,
    values(app_name) AS Applications
    by user, _timeslice
| where TotalPrompts >= 5
| eval FatigueSuccess = if(Approvals >= 1 AND (Denials + NoResponses) >= 3, "YES", "NO")
| eval Severity = if(FatigueSuccess = "YES", "CRITICAL", "HIGH")
| eval ThreatType = "MFA_Fatigue_PushBombing"
| eval ThreatActors = "Scattered Spider, Lapsus$, 0ktapus"
| fields user, _timeslice, TotalPrompts, Approvals, Denials, NoResponses, UniqueSourceIPs, FatigueSuccess, Severity, ThreatType, Locations, Applications
| sort by TotalPrompts desc

critical severity high confidence

Data Sources

Azure Active Directory Sign-in Logs via Sumo Logic Azure integration Entra ID logs forwarded via Azure Event Hub to Sumo Logic HTTP Source

Required Tables

azure/signinlogs source category azure/aad/signin source category

False Positives

Users with persistent MFA app synchronisation problems (clock skew on hardware tokens or soft tokens) who generate repeated failures before escalating to IT and resolving the configuration issue
Third-party federated SSO integrations that silently re-authenticate against Azure AD during token refresh cycles, triggering MFA Conditional Access policies and accumulating timeout events without user awareness
Bulk licence assignment or tenant migration scripts that programmatically trigger authentication flows for many accounts, some of which may have MFA configured inconsistently

Google Chronicle / SecOps

yaral

rule mfa_fatigue_push_bombing {
  meta:
    author = "df00tech"
    description = "Detects MFA fatigue push bombing: 3+ MFA failures followed by approval for same user within 10 minutes"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1621/"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1621"
    threat_actors = "Scattered Spider, Lapsus$, 0ktapus"
    false_positives = "Legitimate MFA issues; device-switching during auth flow"
    version = "1.0"

  events:
    $mfa_fail.metadata.event_type = "USER_LOGIN"
    $mfa_fail.metadata.product_name = "Azure Active Directory"
    $mfa_fail.extensions.auth.auth_details = "multiFactorAuthentication"
    $mfa_fail.security_result.action = "FAIL"
    $mfa_fail.principal.user.email_addresses = $user

    $mfa_success.metadata.event_type = "USER_LOGIN"
    $mfa_success.metadata.product_name = "Azure Active Directory"
    $mfa_success.extensions.auth.auth_details = "multiFactorAuthentication"
    $mfa_success.security_result.action = "ALLOW"
    $mfa_success.principal.user.email_addresses = $user

    $mfa_fail.metadata.event_timestamp.seconds <
      $mfa_success.metadata.event_timestamp.seconds

  match:
    $user over 10m

  condition:
    #mfa_fail >= 3 and #mfa_success >= 1
}

critical severity high confidence

Data Sources

Azure Active Directory logs via Chronicle Google Cloud integration Entra ID Sign-in Logs via Chronicle ingestion API with Azure AD parser

Required Tables

UDM events (Chronicle unified data model — USER_LOGIN category) Azure Active Directory Chronicle parser output

False Positives

Users who legitimately dismiss several push notifications because their phone is locked or Authenticator is backgrounded, then manually open the app and approve — generating the 3-fail/1-success pattern without any attacker involvement
Shared service account users where two operators simultaneously receive and interact with MFA prompts from different devices, with one declining and the other approving within the same window
Conditional Access policy changes or tenant configuration updates mid-session that force MFA re-evaluation, generating repeated FAIL events before the new policy evaluation resolves and allows an ALLOW

CrowdStrike LogScale (CQL)

cql

// MFA Fatigue / Push Bombing — CrowdStrike LogScale
// Requires: Falcon Identity Protection OR Azure AD events via CrowdStrike SIEM Connector
// Event source: AADSignInEvent (Falcon Identity) or AzureADAuthentication (SIEM Connector)

#event_simpleName = AADSignInEvent
| authentication_requirement = "multiFactorAuthentication"
| error_code in (field=error_code, values=["0", "50074", "50076", "500121", "500133"])
| eval mfa_result = case(
    error_code == "0", "SUCCESS",
    error_code == "500121", "DENIED",
    error_code == "500133", "NO_RESPONSE",
    true(), "PROMPTED"
  )
| groupBy(
    [user_principal_name, bucket(field=@timestamp, span=10min)],
    function=[
      count(as=TotalPrompts),
      countIf(mfa_result == "SUCCESS", as=Approvals),
      countIf(mfa_result == "DENIED", as=Denials),
      countIf(mfa_result == "NO_RESPONSE", as=NoResponses),
      collect(field=source_ip, limit=20, as=SourceIPs),
      collect(field=app_display_name, limit=10, as=Applications)
    ]
  )
| TotalPrompts >= 5
| eval FatigueSuccess = if(Approvals >= 1 AND (Denials + NoResponses) >= 3, "YES", "NO")
| eval Severity = if(FatigueSuccess == "YES", "CRITICAL", "HIGH")
| eval ThreatType = "MFA_Fatigue_PushBombing"
| eval ThreatActors = "Scattered Spider, Lapsus$"
| sort(TotalPrompts, order=desc)

critical severity medium confidence

Data Sources

CrowdStrike Falcon Identity Protection — Azure AD identity event telemetry Azure AD Sign-in Logs via CrowdStrike SIEM Connector to LogScale

Required Tables

Falcon Identity Protection repository (LogScale) Azure AD ingest repository (LogScale — if using SIEM Connector)

False Positives

IT administrators running automated user provisioning or licence assignment workflows that generate MFA challenges for newly created accounts before MFA registration is complete
Global executives or frequent travellers authenticating from multiple countries within short periods, triggering Conditional Access location-based MFA on each new geography and accumulating prompt events
Users whose Microsoft Authenticator app is killed by iOS or Android battery optimisation, generating repeated NO_RESPONSE timeout events before a manual app relaunch allows the push notification to be actioned

Last updated: 2026-04-25 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for THREAT-EntraID-MFAFatigue including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Multi-Factor Authentication Fatigue (MFA Bombing) Attack

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Credential Access

Popular Detections