THREAT-EntraID-MFAFatigue Google Chronicle · YARA-L

Detect Multi-Factor Authentication Fatigue (MFA Bombing) Attack in Google Chronicle

MFA fatigue (also called MFA bombing or push flooding) is a social engineering technique where an attacker who has obtained valid credentials uses repeated MFA push notifications to wear down the victim into approving an authentication request out of annoyance or confusion. Scattered Spider pioneered this at scale, compromising MGM Resorts, Caesars Entertainment, and numerous UK-based organisations. The attacker sends dozens of Authenticator app push notifications in rapid succession, sometimes at 3am to catch sleeping victims, until one is approved. Some variants include calling the victim while bombing, claiming to be IT support (vishing), and guiding them to approve the 'legitimate' request. NCSC and CISA issued a joint advisory on this technique in 2023. With valid M365 credentials available from password spray or phishing, MFA fatigue is the primary way Scattered Spider bypasses MFA.

MITRE ATT&CK

Tactic
Credential Access

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule mfa_fatigue_push_bombing {
  meta:
    author = "df00tech"
    description = "Detects MFA fatigue push bombing: 3+ MFA failures followed by approval for same user within 10 minutes"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1621/"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1621"
    threat_actors = "Scattered Spider, Lapsus$, 0ktapus"
    false_positives = "Legitimate MFA issues; device-switching during auth flow"
    version = "1.0"

  events:
    $mfa_fail.metadata.event_type = "USER_LOGIN"
    $mfa_fail.metadata.product_name = "Azure Active Directory"
    $mfa_fail.extensions.auth.auth_details = "multiFactorAuthentication"
    $mfa_fail.security_result.action = "FAIL"
    $mfa_fail.principal.user.email_addresses = $user

    $mfa_success.metadata.event_type = "USER_LOGIN"
    $mfa_success.metadata.product_name = "Azure Active Directory"
    $mfa_success.extensions.auth.auth_details = "multiFactorAuthentication"
    $mfa_success.security_result.action = "ALLOW"
    $mfa_success.principal.user.email_addresses = $user

    $mfa_fail.metadata.event_timestamp.seconds <
      $mfa_success.metadata.event_timestamp.seconds

  match:
    $user over 10m

  condition:
    #mfa_fail >= 3 and #mfa_success >= 1
}
critical severity high confidence

Chronicle YARA-L 2.0 rule detecting the MFA fatigue success pattern using UDM-normalised Azure AD events. The rule correlates two event variables: $mfa_fail (security_result.action=FAIL with MFA auth detail) and $mfa_success (security_result.action=ALLOW with MFA auth detail) bound to the same user email address. The timestamp constraint ensures failures preceded the approval. The 10-minute match window with condition #mfa_fail >= 3 mirrors the SPL/KQL threshold logic. Requires Azure AD logs ingested into Chronicle with the standard Azure AD Chronicle ingestion parser applied for UDM field mapping. The extensions.auth.auth_details field captures the authentication method from the normalised Azure AD payload.

Data Sources

Azure Active Directory logs via Chronicle Google Cloud integrationEntra ID Sign-in Logs via Chronicle ingestion API with Azure AD parser

Required Tables

UDM events (Chronicle unified data model — USER_LOGIN category)Azure Active Directory Chronicle parser output

False Positives & Tuning

  • Users who legitimately dismiss several push notifications because their phone is locked or Authenticator is backgrounded, then manually open the app and approve — generating the 3-fail/1-success pattern without any attacker involvement
  • Shared service account users where two operators simultaneously receive and interact with MFA prompts from different devices, with one declining and the other approving within the same window
  • Conditional Access policy changes or tenant configuration updates mid-session that force MFA re-evaluation, generating repeated FAIL events before the new policy evaluation resolves and allows an ALLOW
Download portable Sigma rule (.yml)

Other platforms for THREAT-EntraID-MFAFatigue

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate MFA Push Bombing via Microsoft Authentication Library

    Expected signal: Azure AD Sign-in logs record 10 MFA prompts for the target user within a 5-minute window, each showing error code 50076 (MFA required) or 500133 (not completed).

Last updated: 2026-04-25 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-EntraID-MFAFatigue including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1621Multi-Factor Authentication Request Generation

Related Techniques

T1621Multi-Factor Authentication Request GenerationT1566.004Spearphishing VoiceT1110.003Password SprayingT1078.004Cloud AccountsT1539Steal Web Session Cookie

Same Tactic: Credential Access

Popular Detections