title: Multi-Factor Authentication Interception (T1111)
id: df00tech-t1111
status: experimental
description: "Adversaries may target multi-factor authentication (MFA) mechanisms to intercept authentication factors including smart card PINs, hardware token codes (RSA SecurID), SMS-based one-time passwords, and app-based push notifications. Interception methods include keylogging to capture smart card PINs or TOTP codes, SMS hijacking via SIM swapping or compromised messaging service providers, MFA prompt bombing (fatigue attacks sending repeated push notifications until the user approves), and adversary-in-the-middle (AiTM) phishing frameworks that relay credentials and capture session tokens post-MFA. Nation-state groups including Kimsuky (proprietary OTP interception tool), APT42 (cloned websites capturing MFA tokens), and Chimera (registering adversary phone numbers on compromised accounts) have employed these techniques. Criminal group LAPSUS$ operationalized MFA fatigue at scale against major technology firms, achieving access by sending repeated Authenticator push notifications until users approved out of confusion or frustration."
references:
  - https://attack.mitre.org/techniques/T1111/
  - https://df00tech.com/detections/T1111
author: df00tech
date: 2026/04/18
tags:
  - attack.t1111
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Users with poor mobile connectivity who retry MFA push notifications multiple times due to notification delivery failures — particularly common in low-signal areas or when VPN is in use on the authenticator device
  - "Users who habitually dismiss MFA notifications accidentally before accepting them, especially with Microsoft Authenticator number matching where dismissal is a single tap away from approval"
  - Automated testing frameworks or CI/CD pipelines in non-production tenants that trigger interactive authentication flows repeatedly during integration tests
  - Users traveling across Conditional Access geographic zones triggering multiple re-authentication challenges in rapid succession during transit
  - Help desk password reset workflows where multiple MFA verification rounds occur during account recovery procedures
level: high