Detect Multi-Factor Authentication Fatigue (MFA Bombing) Attack in CrowdStrike LogScale
MFA fatigue (also called MFA bombing or push flooding) is a social engineering technique where an attacker who has obtained valid credentials uses repeated MFA push notifications to wear down the victim into approving an authentication request out of annoyance or confusion. Scattered Spider pioneered this at scale, compromising MGM Resorts, Caesars Entertainment, and numerous UK-based organisations. The attacker sends dozens of Authenticator app push notifications in rapid succession, sometimes at 3am to catch sleeping victims, until one is approved. Some variants include calling the victim while bombing, claiming to be IT support (vishing), and guiding them to approve the 'legitimate' request. NCSC and CISA issued a joint advisory on this technique in 2023. With valid M365 credentials available from password spray or phishing, MFA fatigue is the primary way Scattered Spider bypasses MFA.
MITRE ATT&CK
- Tactic
- Credential Access
LogScale Detection Query
// MFA Fatigue / Push Bombing — CrowdStrike LogScale
// Requires: Falcon Identity Protection OR Azure AD events via CrowdStrike SIEM Connector
// Event source: AADSignInEvent (Falcon Identity) or AzureADAuthentication (SIEM Connector)
#event_simpleName = AADSignInEvent
| authentication_requirement = "multiFactorAuthentication"
| error_code in (field=error_code, values=["0", "50074", "50076", "500121", "500133"])
| eval mfa_result = case(
error_code == "0", "SUCCESS",
error_code == "500121", "DENIED",
error_code == "500133", "NO_RESPONSE",
true(), "PROMPTED"
)
| groupBy(
[user_principal_name, bucket(field=@timestamp, span=10min)],
function=[
count(as=TotalPrompts),
countIf(mfa_result == "SUCCESS", as=Approvals),
countIf(mfa_result == "DENIED", as=Denials),
countIf(mfa_result == "NO_RESPONSE", as=NoResponses),
collect(field=source_ip, limit=20, as=SourceIPs),
collect(field=app_display_name, limit=10, as=Applications)
]
)
| TotalPrompts >= 5
| eval FatigueSuccess = if(Approvals >= 1 AND (Denials + NoResponses) >= 3, "YES", "NO")
| eval Severity = if(FatigueSuccess == "YES", "CRITICAL", "HIGH")
| eval ThreatType = "MFA_Fatigue_PushBombing"
| eval ThreatActors = "Scattered Spider, Lapsus$"
| sort(TotalPrompts, order=desc)CrowdStrike LogScale CQL query detecting MFA fatigue via Azure AD telemetry ingested into Falcon. Uses the AADSignInEvent event type produced by Falcon Identity Protection's Azure AD integration. The groupBy with bucket() creates 10-minute time windows per user, and countIf() aggregations separate MFA outcomes. The FatigueSuccess=YES condition (approval after 3+ failures) maps directly to the SPL/KQL fatigue-success detection. The collect() on source_ip (up to 20 values) extracts attacker IPs for immediate IOC extraction. If using the CrowdStrike SIEM Connector rather than Falcon Identity Protection, adjust the #event_simpleName filter to match your ingest event type and verify field name mappings against your repository schema.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators running automated user provisioning or licence assignment workflows that generate MFA challenges for newly created accounts before MFA registration is complete
- Global executives or frequent travellers authenticating from multiple countries within short periods, triggering Conditional Access location-based MFA on each new geography and accumulating prompt events
- Users whose Microsoft Authenticator app is killed by iOS or Android battery optimisation, generating repeated NO_RESPONSE timeout events before a manual app relaunch allows the push notification to be actioned
Other platforms for THREAT-EntraID-MFAFatigue
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate MFA Push Bombing via Microsoft Authentication Library
Expected signal: Azure AD Sign-in logs record 10 MFA prompts for the target user within a 5-minute window, each showing error code 50076 (MFA required) or 500133 (not completed).
References (5)
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a
- https://www.ncsc.gov.uk/blog-post/scattered-spider-techniques-and-mitigations
- https://www.microsoft.com/en-us/security/blog/2023/05/26/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
- https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-number-match
- https://attack.mitre.org/techniques/T1621/
Unlock Pro Content
Get the full detection package for THREAT-EntraID-MFAFatigue including response playbook, investigation guide, and atomic red team tests.