THREAT-EntraID-MFAFatigue Elastic Security · Elastic

Detect Multi-Factor Authentication Fatigue (MFA Bombing) Attack in Elastic Security

MFA fatigue (also called MFA bombing or push flooding) is a social engineering technique where an attacker who has obtained valid credentials uses repeated MFA push notifications to wear down the victim into approving an authentication request out of annoyance or confusion. Scattered Spider pioneered this at scale, compromising MGM Resorts, Caesars Entertainment, and numerous UK-based organisations. The attacker sends dozens of Authenticator app push notifications in rapid succession, sometimes at 3am to catch sleeping victims, until one is approved. Some variants include calling the victim while bombing, claiming to be IT support (vishing), and guiding them to approve the 'legitimate' request. NCSC and CISA issued a joint advisory on this technique in 2023. With valid M365 credentials available from password spray or phishing, MFA fatigue is the primary way Scattered Spider bypasses MFA.

MITRE ATT&CK

Tactic
Credential Access

Elastic Detection Query

Elastic Security (Elastic)
eql 
// MFA Fatigue — Push Bombing Fatigue-Success Sequence
// Detects 3+ MFA failures/timeouts followed by approval for same user within 10m
sequence by azure.signinlogs.properties.user_principal_name with maxspan=10m
  [any where event.dataset == "azure.signinlogs"
   and azure.signinlogs.properties.authentication_requirement == "multiFactorAuthentication"
   and azure.signinlogs.properties.status.error_code in (500133, 500121, 50074, 50076)]
  [any where event.dataset == "azure.signinlogs"
   and azure.signinlogs.properties.authentication_requirement == "multiFactorAuthentication"
   and azure.signinlogs.properties.status.error_code in (500133, 500121, 50074, 50076)]
  [any where event.dataset == "azure.signinlogs"
   and azure.signinlogs.properties.authentication_requirement == "multiFactorAuthentication"
   and azure.signinlogs.properties.status.error_code in (500133, 500121, 50074, 50076)]
  [any where event.dataset == "azure.signinlogs"
   and azure.signinlogs.properties.authentication_requirement == "multiFactorAuthentication"
   and azure.signinlogs.properties.status.error_code == 0]
critical severity high confidence

EQL sequence rule detecting MFA fatigue success pattern: three or more MFA failures or timeouts (error codes 500133=no response, 500121=auth failed strong auth, 50074/50076=MFA required but not completed) followed by a successful MFA approval (error code 0) for the same user within a 10-minute window. This sequence is the definitive indicator of push bombing where the victim eventually capitulates. Deploy as a Kibana Security EQL rule. For high-volume alerting (5+ prompts regardless of outcome), supplement with a separate ES|QL aggregation rule targeting the same dataset and field path.

Data Sources

Azure Active Directory Sign-in Logs via Elastic Azure integration (azure module)Entra ID Sign-in Logs forwarded via Azure Event Hub + Elastic Agent

Required Tables

logs-azure.signinlogs-*azure-logs-*

False Positives & Tuning

  • Legitimate users experiencing genuine MFA app issues (TOTP clock drift, Authenticator app crash) who retry several times before successfully completing MFA after resolving the issue themselves
  • Automated CI/CD service principals or headless integration accounts with misconfigured MFA policies that accumulate timeout events before a manual intervention allows the workflow to proceed
  • Users who switch devices mid-authentication (e.g. start on laptop, switch to phone) causing multiple NO_RESPONSE timeout events before successfully approving on the second device
Download portable Sigma rule (.yml)

Other platforms for THREAT-EntraID-MFAFatigue

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate MFA Push Bombing via Microsoft Authentication Library

    Expected signal: Azure AD Sign-in logs record 10 MFA prompts for the target user within a 5-minute window, each showing error code 50076 (MFA required) or 500133 (not completed).

Last updated: 2026-04-25 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-EntraID-MFAFatigue including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1621Multi-Factor Authentication Request Generation

Related Techniques

T1621Multi-Factor Authentication Request GenerationT1566.004Spearphishing VoiceT1110.003Password SprayingT1078.004Cloud AccountsT1539Steal Web Session Cookie

Same Tactic: Credential Access

Popular Detections