THREAT-EntraID-MFAFatigue IBM QRadar · QRadar

Detect Multi-Factor Authentication Fatigue (MFA Bombing) Attack in IBM QRadar

MFA fatigue (also called MFA bombing or push flooding) is a social engineering technique where an attacker who has obtained valid credentials uses repeated MFA push notifications to wear down the victim into approving an authentication request out of annoyance or confusion. Scattered Spider pioneered this at scale, compromising MGM Resorts, Caesars Entertainment, and numerous UK-based organisations. The attacker sends dozens of Authenticator app push notifications in rapid succession, sometimes at 3am to catch sleeping victims, until one is approved. Some variants include calling the victim while bombing, claiming to be IT support (vishing), and guiding them to approve the 'legitimate' request. NCSC and CISA issued a joint advisory on this technique in 2023. With valid M365 credentials available from password spray or phishing, MFA fatigue is the primary way Scattered Spider bypasses MFA.

MITRE ATT&CK

Tactic
Credential Access

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    "username",
    COUNT(*) AS TotalMFAEvents,
    SUM(CASE WHEN "Azure AD Error Code" IN ('0') THEN 1 ELSE 0 END) AS Approvals,
    SUM(CASE WHEN "Azure AD Error Code" IN ('500121') THEN 1 ELSE 0 END) AS Denials,
    SUM(CASE WHEN "Azure AD Error Code" IN ('500133') THEN 1 ELSE 0 END) AS NoResponses,
    SUM(CASE WHEN "Azure AD Error Code" IN ('50074','50076') THEN 1 ELSE 0 END) AS OtherFailures,
    COUNT(DISTINCT SOURCEIP) AS UniqueSourceIPs,
    DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstAttempt,
    DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastAttempt,
    (SUM(CASE WHEN "Azure AD Error Code" IN ('500121','500133','50074','50076') THEN 1 ELSE 0 END)) AS TotalFailures
FROM events
WHERE
    LOGSOURCETYPEID IN (
        SELECT id FROM LOGSOURCETYPES
        WHERE name LIKE '%Azure Active Directory%'
           OR name LIKE '%Microsoft Azure AD%'
    )
    AND "Azure AD Authentication Requirement" = 'multiFactorAuthentication'
    AND "Azure AD Error Code" IN ('0','50074','50076','500121','500133')
    AND starttime > NOW() - 86400000
GROUP BY
    "username",
    FLOOR(LONG(starttime) / 600000)
HAVING
    TotalMFAEvents >= 5
    OR (Approvals >= 1 AND TotalFailures >= 3)
ORDER BY TotalMFAEvents DESC
LAST 1000 RESULTS
high severity medium confidence

QRadar AQL query targeting the Microsoft Azure Active Directory DSM log source. Uses FLOOR division of epoch milliseconds (LONG(starttime) / 600000) to bucket events into 10-minute windows per user without requiring native window functions. The HAVING clause fires on either 5+ total MFA prompts in a window or 1+ approval preceded by 3+ failures — covering both the high-volume bombing pattern and the definitive fatigue-success pattern. Field names like 'Azure AD Error Code' and 'Azure AD Authentication Requirement' correspond to custom properties mapped by the Microsoft Azure AD DSM; verify property names in your QRadar deployment under Log Activity > Add Filter.

Data Sources

Microsoft Azure Active Directory DSM (QRadar App Exchange)Microsoft Azure AD via Universal Cloud REST API protocol

Required Tables

events (QRadar event pipeline)

False Positives & Tuning

  • Helpdesk-assisted account recovery sessions where IT staff trigger multiple MFA challenges while walking a user through a password reset or device enrolment procedure
  • MDM bulk-enrolment workflows for new device rollouts that generate repeated Conditional Access MFA prompts for the same user across multiple enrolment attempts
  • VPN concentrators or application proxies configured for silent re-authentication that retry MFA automatically on transient failures, creating artificial prompt bursts within the detection window
Download portable Sigma rule (.yml)

Other platforms for THREAT-EntraID-MFAFatigue

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate MFA Push Bombing via Microsoft Authentication Library

    Expected signal: Azure AD Sign-in logs record 10 MFA prompts for the target user within a 5-minute window, each showing error code 50076 (MFA required) or 500133 (not completed).

Last updated: 2026-04-25 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-EntraID-MFAFatigue including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1621Multi-Factor Authentication Request Generation

Related Techniques

T1621Multi-Factor Authentication Request GenerationT1566.004Spearphishing VoiceT1110.003Password SprayingT1078.004Cloud AccountsT1539Steal Web Session Cookie

Same Tactic: Credential Access

Popular Detections