Detect Multi-Factor Authentication Fatigue (MFA Bombing) Attack in Splunk
MFA fatigue (also called MFA bombing or push flooding) is a social engineering technique where an attacker who has obtained valid credentials uses repeated MFA push notifications to wear down the victim into approving an authentication request out of annoyance or confusion. Scattered Spider pioneered this at scale, compromising MGM Resorts, Caesars Entertainment, and numerous UK-based organisations. The attacker sends dozens of Authenticator app push notifications in rapid succession, sometimes at 3am to catch sleeping victims, until one is approved. Some variants include calling the victim while bombing, claiming to be IT support (vishing), and guiding them to approve the 'legitimate' request. NCSC and CISA issued a joint advisory on this technique in 2023. With valid M365 credentials available from password spray or phishing, MFA fatigue is the primary way Scattered Spider bypasses MFA.
MITRE ATT&CK
- Tactic
- Credential Access
SPL Detection Query
index=azure sourcetype="azure:aad:signin"
properties.authentication_requirement="multiFactorAuthentication"
properties.status.error_code IN (0, 50074, 50076, 500121, 500133)
| eval user=properties.user_principal_name
| eval mfa_result=case(
properties.status.error_code=0, "SUCCESS",
properties.status.error_code=500121, "DENIED",
properties.status.error_code=500133, "NO_RESPONSE",
true(), "PROMPTED"
)
| bin _time span=10m
| stats
count AS TotalPrompts,
sum(eval(if(mfa_result="SUCCESS",1,0))) AS Approvals,
sum(eval(if(mfa_result="DENIED",1,0))) AS Denials,
sum(eval(if(mfa_result="NO_RESPONSE",1,0))) AS NoResponses,
dc(properties.ip_address) AS UniqueSourceIPs
BY user, _time
| where TotalPrompts >= 5
| eval FatigueSuccess=if(Approvals >= 1 AND (Denials + NoResponses) >= 3, "YES", "NO")
| eval Severity=if(FatigueSuccess="YES", "CRITICAL", "HIGH")
| eval ThreatType="MFA_Fatigue_PushBombing"
| eval ThreatActors="Scattered Spider, Lapsus$, 0ktapus"
| sort - TotalPromptsSPL MFA fatigue detection: aggregates MFA prompt events by user in 10-minute bins, flags users with 5+ prompts, and escalates to Critical when there's a success following multiple denials/non-responses (fatigue compromise confirmed).
Data Sources
Required Sourcetypes
False Positives & Tuning
- Users with slow mobile network causing delayed MFA delivery and re-sends
- Help desk-initiated password reset flows that trigger MFA multiple times
- Conditional Access policies with conflicting requirements causing MFA loops
Other platforms for THREAT-EntraID-MFAFatigue
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate MFA Push Bombing via Microsoft Authentication Library
Expected signal: Azure AD Sign-in logs record 10 MFA prompts for the target user within a 5-minute window, each showing error code 50076 (MFA required) or 500133 (not completed).
References (5)
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a
- https://www.ncsc.gov.uk/blog-post/scattered-spider-techniques-and-mitigations
- https://www.microsoft.com/en-us/security/blog/2023/05/26/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
- https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-number-match
- https://attack.mitre.org/techniques/T1621/
Unlock Pro Content
Get the full detection package for THREAT-EntraID-MFAFatigue including response playbook, investigation guide, and atomic red team tests.