LoFP LoFP / multiple failed mfa requests may also be a sign of authentication or application issues. filter as needed.

Sample rules

GCP Multiple Failed MFA Requests For User

Description

The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.

Detection logic

`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` 
| bucket span=5m _time 
| stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method,  _time 
| where mfa_prompts >= 10 
| `gcp_multiple_failed_mfa_requests_for_user_filter`

O365 Multiple Failed MFA Requests For User

Description

This analytic identifies potential “MFA fatigue” attacks targeting Office 365 users. Specifically, it detects scenarios where a user experiences more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. Attackers may exploit MFA fatigue by repeatedly triggering MFA requests, hoping that the user, out of frustration or oversight, will approve a malicious authentication attempt. The detection leverages O365 management activity logs, focusing on Azure Active Directory events. It looks for the UserLoginFailed operation combined with a Success ResultStatus and an ErrorNumber of 500121, which indicates MFA prompts. By monitoring these specific events and conditions, the analytic captures and alerts on potential MFA fatigue scenarios. With MFA being a cornerstone of modern cybersecurity defenses, attackers are constantly seeking ways to bypass or exploit it. MFA fatigue is one such tactic, where attackers rely on user frustration or confusion caused by frequent MFA prompts. Detecting potential MFA fatigue scenarios allows security teams to proactively investigate and ensure that users aren’t inadvertently granting access to malicious actors. If this detection flags a true positive, it suggests a potential attempt by an attacker to exploit MFA mechanisms to gain unauthorized access to an O365 account. Successful exploitation could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation and response would be crucial to safeguard the affected account and assess the full scope of the potential breach.

Detection logic

 `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success  ErrorNumber=500121 
| bucket span=10m _time 
| stats  dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature by user, _time 
| where  mfa_prompts  > 9 
| `o365_multiple_failed_mfa_requests_for_user_filter`

Azure AD Multiple Failed MFA Requests For User

Description

The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.

Detection logic

 `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" properties.status.errorCode=500121 properties.status.additionalDetails!="MFA denied; user declined the authentication" 
| rename properties.* as * 
| bucket span=10m _time 
| stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent 
| where count > 9 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_multiple_failed_mfa_requests_for_user_filter`

AWS Multiple Failed MFA Requests For User

Description

The following analytic identifies multiple failed multi-factor authentication requests to an AWS Console for a single user. AWS Cloudtrail logs provide a a very useful field called additionalEventData that logs information regarding usage of MFA. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. AWS Environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.

Detection logic

`cloudtrail` eventName= ConsoleLogin "additionalEventData.MFAUsed"=Yes errorMessage="Failed authentication" 
| bucket span=5m _time 
|  stats dc(_raw) as mfa_prompts values(userAgent) as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName errorMessage 
| where mfa_prompts > 10
| `aws_multiple_failed_mfa_requests_for_user_filter`

Okta Multiple Failed MFA Requests For User

Description

The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Okta tenant. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Okta tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.

Detection logic

 `okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE debugContext.debugData.factor!=PASSWORD_AS_FACTOR 
| bucket _time span=5m 
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) as src_ip values(debugContext.debugData.factor) by _time src_user 
| where count >= 5 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `okta_multiple_failed_mfa_requests_for_user_filter`