Azure AD Multiple Denied MFA Requests Indicating Potential Account Compromise
Detection of an unusually high number of denied MFA requests for a single user within a short timeframe in Azure AD, potentially indicating a targeted account compromise attempt.
This threat brief addresses the potential for account compromise in Azure Active Directory (Azure AD) environments, specifically focusing on scenarios where an attacker attempts to bypass multi-factor authentication (MFA) by repeatedly sending MFA requests to a legitimate user until they are either accepted or the user becomes desensitized and approves a fraudulent request. This technique is often employed after an attacker has gained initial access through methods like password spraying or phishing. The detection focuses on identifying instances where a user has denied more than nine MFA requests within a 10-minute window. While the specific actor is unknown, the technique aligns with observed behaviors from various threat actors, including those detailed by Mandiant and in reports related to LAPSUS$ and SolarWinds breaches. This activity is critical for defenders as a successful MFA bypass can lead to significant data breaches, lateral movement within the organization, and further malicious activities. The original Splunk analytic was published on 2026-04-17.
Attack Chain
- The attacker gains initial access to a valid user's credentials through phishing, password spraying, or credential stuffing.
- The attacker attempts to authenticate to Azure AD using the compromised credentials.
- Azure AD prompts the legitimate user for MFA verification.
- The user denies the MFA request, recognizing the unauthorized login attempt.
- The attacker repeatedly initiates login attempts, triggering multiple MFA requests in a short period.
- The user continues to deny the MFA requests, but the sheer volume may cause confusion or fatigue.
- If the attacker successfully convinces the user to approve a request, or exploits a vulnerability to bypass MFA, they gain access to the user's account.
- With compromised credentials, the attacker performs actions such as accessing sensitive data, moving laterally to other systems, or deploying malware.
Impact
A successful MFA bypass can have significant consequences, including unauthorized access to sensitive data, lateral movement within the organization's network, and the potential deployment of ransomware or other malware. Organizations in any sector could be targeted, with potential impacts ranging from data breaches and financial losses to reputational damage and disruption of services. The number of affected users and the scale of the damage will vary depending on the attacker's objectives and the organization's security posture. This technique is especially effective against users who are not trained to recognize and report suspicious MFA requests, and organizations that haven't implemented number matching.
Recommendation
- Deploy the Sigma rule
Azure AD Multiple Denied MFA Requeststo detect potential MFA fatigue attacks based on Azure AD Sign-in logs (logsource: category:network_connection, product:azure). - Implement number matching in MFA applications as recommended by CISA to mitigate MFA bypass techniques (https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf).
- Investigate and filter out known false positives, such as authentication errors, as described in the documentation for the original Splunk detection.
- Review and enhance user training programs to educate employees on recognizing and reporting suspicious MFA requests.
Detection coverage 2
Azure AD Multiple Denied MFA Requests
highDetects multiple denied MFA requests for a single user within a 10-minute window, indicating a potential MFA fatigue attack.
Azure AD MFA Denied with Error Code 500121
mediumDetects MFA denial events with error code 500121, indicating the user declined the authentication.
Detection queries are available on the platform. Get full rules →