based on the high-frequency threshold, it would be unlikely for a legitimate user to exceed the threshold for failed totp code attempts in a short time-span.

Techniques

T1110

Sample rules

Azure Entra MFA TOTP Brute Force Attempts

source: elastic
technicques:
- T1110

Description

Identifies brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. This rule detects high frequency failed TOTP code attempts for a single user in a short time-span. Adversaries with valid credentials, when attempting to login to Azure portal or other Azure services, may be prompted to provide a TOTP code as part of the MFA process. If successful, adversaries can bypass MFA and gain unauthorized access to Azure resources.

Detection logic

from logs-azure.signinlogs* metadata _id, _version, _index
| where
    // filter for Entra Sign-In Logs
    event.dataset == "azure.signinlogs"
    and azure.signinlogs.operation_name == "Sign-in activity"

    // filter for MFA attempts with OATH conditional access attempts or TOTP
    and azure.signinlogs.properties.authentication_requirement == "multiFactorAuthentication"
    and azure.signinlogs.properties.mfa_detail.auth_method == "OATH verification code"

    // filter on failures only from brute-force attempts
    and azure.signinlogs.properties.conditional_access_status == "failure"
    and azure.signinlogs.result_description == "Authentication failed during strong authentication request."
| keep azure.signinlogs.properties.sign_in_identifier
| stats
    // aggregate by the sign-in account or principal
    failed_totp_code_attempts = count(*) by azure.signinlogs.properties.sign_in_identifier
| where
    // filter on high frequency for a single user
    failed_totp_code_attempts > 30