THREAT-EntraID-MFAFatigue Sumo Logic CSE · Sumo

Detect Multi-Factor Authentication Fatigue (MFA Bombing) Attack in Sumo Logic CSE

MFA fatigue (also called MFA bombing or push flooding) is a social engineering technique where an attacker who has obtained valid credentials uses repeated MFA push notifications to wear down the victim into approving an authentication request out of annoyance or confusion. Scattered Spider pioneered this at scale, compromising MGM Resorts, Caesars Entertainment, and numerous UK-based organisations. The attacker sends dozens of Authenticator app push notifications in rapid succession, sometimes at 3am to catch sleeping victims, until one is approved. Some variants include calling the victim while bombing, claiming to be IT support (vishing), and guiding them to approve the 'legitimate' request. NCSC and CISA issued a joint advisory on this technique in 2023. With valid M365 credentials available from password spray or phishing, MFA fatigue is the primary way Scattered Spider bypasses MFA.

MITRE ATT&CK

Tactic
Credential Access

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=azure/signinlogs OR _sourceCategory=azure/aad/signin
| json field=_raw "properties.userPrincipalName" as user
| json field=_raw "properties.authenticationRequirement" as auth_req
| json field=_raw "properties.status.errorCode" as error_code
| json field=_raw "properties.ipAddress" as ip_address
| json field=_raw "properties.location" as location
| json field=_raw "properties.appDisplayName" as app_name
| where auth_req = "multiFactorAuthentication"
| where error_code in ("0", "50074", "50076", "500121", "500133")
| eval mfa_result = if(error_code = "0", "SUCCESS",
    if(error_code = "500121", "DENIED",
    if(error_code = "500133", "NO_RESPONSE", "PROMPTED")))
| timeslice 10m
| stats
    count AS TotalPrompts,
    countif(mfa_result = "SUCCESS") AS Approvals,
    countif(mfa_result = "DENIED") AS Denials,
    countif(mfa_result = "NO_RESPONSE") AS NoResponses,
    dcount(ip_address) AS UniqueSourceIPs,
    values(location) AS Locations,
    values(app_name) AS Applications
    by user, _timeslice
| where TotalPrompts >= 5
| eval FatigueSuccess = if(Approvals >= 1 AND (Denials + NoResponses) >= 3, "YES", "NO")
| eval Severity = if(FatigueSuccess = "YES", "CRITICAL", "HIGH")
| eval ThreatType = "MFA_Fatigue_PushBombing"
| eval ThreatActors = "Scattered Spider, Lapsus$, 0ktapus"
| fields user, _timeslice, TotalPrompts, Approvals, Denials, NoResponses, UniqueSourceIPs, FatigueSuccess, Severity, ThreatType, Locations, Applications
| sort by TotalPrompts desc
critical severity high confidence

Sumo Logic query ingesting Azure AD sign-in logs and parsing raw JSON payloads to extract user identity, authentication requirement, MFA outcome error codes, and source IP. Events are bucketed into 10-minute timeslices per user using the timeslice operator. The stats command counts MFA outcome categories. The CRITICAL/HIGH severity split on FatigueSuccess distinguishes confirmed victim capitulation (approval after 3+ failures) from high-volume prompting alone. The values() aggregation on location and app_name provides immediate enrichment context for triage without requiring a secondary lookup.

Data Sources

Azure Active Directory Sign-in Logs via Sumo Logic Azure integrationEntra ID logs forwarded via Azure Event Hub to Sumo Logic HTTP Source

Required Tables

azure/signinlogs source categoryazure/aad/signin source category

False Positives & Tuning

  • Users with persistent MFA app synchronisation problems (clock skew on hardware tokens or soft tokens) who generate repeated failures before escalating to IT and resolving the configuration issue
  • Third-party federated SSO integrations that silently re-authenticate against Azure AD during token refresh cycles, triggering MFA Conditional Access policies and accumulating timeout events without user awareness
  • Bulk licence assignment or tenant migration scripts that programmatically trigger authentication flows for many accounts, some of which may have MFA configured inconsistently
Download portable Sigma rule (.yml)

Other platforms for THREAT-EntraID-MFAFatigue

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate MFA Push Bombing via Microsoft Authentication Library

    Expected signal: Azure AD Sign-in logs record 10 MFA prompts for the target user within a 5-minute window, each showing error code 50076 (MFA required) or 500133 (not completed).

Last updated: 2026-04-25 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-EntraID-MFAFatigue including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1621Multi-Factor Authentication Request Generation

Related Techniques

T1621Multi-Factor Authentication Request GenerationT1566.004Spearphishing VoiceT1110.003Password SprayingT1078.004Cloud AccountsT1539Steal Web Session Cookie

Same Tactic: Credential Access

Popular Detections