LoFP / multiple failed mfa requests may also be a sign of authentication or application issues. filter as needed and monitor for any unusual activity.

• T1078
• T1078.004
• T1586
• T1586.003
• T1621

Sample rules

Okta Multiple Failed MFA Requests For User

• source: splunk
• technicques:
  • T1621

Description

The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Okta tenant. It triggers when more than 10 MFA attempts fail within 5 minutes, using Okta event logs to detect this pattern. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests, a technique used by threat actors like Lapsus and APT29. If confirmed malicious, this could lead to unauthorized access, potentially compromising sensitive information and systems.

Detection logic

`okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE debugContext.debugData.factor!=PASSWORD_AS_FACTOR 
| bucket _time span=5m 
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) as src_ip values(debugContext.debugData.factor) by _time src_user 
| where count >= 10 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `okta_multiple_failed_mfa_requests_for_user_filter`

GCP Multiple Failed MFA Requests For User

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1621
  • T1078
  • T1078.004

Description

The following analytic detects multiple failed multi-factor authentication (MFA) requests for a single user within a Google Cloud Platform (GCP) tenant. It triggers when 10 or more MFA prompts fail within a 5-minute window, using Google Workspace login failure events. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise accounts and potentially escalate privileges within the GCP environment.

Detection logic

`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` 
| bucket span=5m _time 
| stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method,  _time 
| where mfa_prompts >= 10 
| `gcp_multiple_failed_mfa_requests_for_user_filter`

AWS Multiple Failed MFA Requests For User

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1621

Description

The following analytic identifies multiple failed multi-factor authentication (MFA) requests to an AWS Console for a single user. It leverages AWS CloudTrail logs, specifically the additionalEventData field, to detect more than 10 failed MFA prompts within 5 minutes. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this could lead to unauthorized access to the AWS environment, potentially compromising sensitive data and resources.

Detection logic

`cloudtrail` eventName= ConsoleLogin "additionalEventData.MFAUsed"=Yes errorMessage="Failed authentication" 
| bucket span=5m _time 
|  stats dc(_raw) as mfa_prompts values(userAgent) as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName errorMessage 
| where mfa_prompts > 10
| `aws_multiple_failed_mfa_requests_for_user_filter`

O365 Multiple Failed MFA Requests For User

• source: splunk
• technicques:
  • T1621

Description

The following analytic identifies potential “MFA fatigue” attacks targeting Office 365 users by detecting more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. It leverages O365 management activity logs, focusing on Azure Active Directory events with the UserLoginFailed operation, a Success ResultStatus, and an ErrorNumber of 500121. This activity is significant as attackers may exploit MFA fatigue to gain unauthorized access by overwhelming users with repeated MFA requests. If confirmed malicious, this could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation is crucial.

Detection logic

`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success  ErrorNumber=500121 
| bucket span=10m _time 
| stats  dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature by user, _time 
| where  mfa_prompts  > 9 
| `o365_multiple_failed_mfa_requests_for_user_filter`

Azure AD Multiple Failed MFA Requests For User

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1621
  • T1078
  • T1078.004

Description

The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Azure AD tenant. It leverages Azure AD Sign-in Logs, specifically error code 500121, to detect more than 10 failed MFA attempts within 10 minutes. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication prompts. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise user accounts and potentially escalate their privileges within the environment.

Detection logic

`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" properties.status.errorCode=500121 properties.status.additionalDetails!="MFA denied; user declined the authentication" 
| rename properties.* as * 
| bucket span=10m _time 
| stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent 
| where count > 10 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_multiple_failed_mfa_requests_for_user_filter`