Azure AD MFA Fatigue Attack
An attacker attempts to bypass multi-factor authentication by flooding a user with MFA requests, potentially leading to account compromise.
This brief addresses the threat of MFA fatigue attacks targeting Azure Active Directory (Azure AD) users. In this attack, adversaries attempt to bypass multi-factor authentication (MFA) by overwhelming a target user with numerous MFA push notifications or requests. The goal is to induce the user to eventually approve a request, either out of frustration or habituation, thereby granting the attacker access to the account. While the provided source does not attribute this activity to a specific actor, this technique has been observed in use by various threat groups, including those linked to nation-state actors and ransomware operations. This attack is especially concerning because it circumvents a critical security control, potentially leading to widespread compromise. The Splunk analytic detects this activity by identifying more than 10 failed MFA attempts within 10 minutes for a single user, using error code 500121 from Azure AD Sign-in Logs.
Attack Chain
- The attacker obtains valid credentials for an Azure AD user, potentially through phishing (T1566) or credential stuffing.
- The attacker attempts to log in to an application or service protected by Azure AD MFA.
- Azure AD prompts the user for MFA.
- The attacker initiates repeated login attempts to trigger a flood of MFA requests to the user's device (T1621). The user receives numerous push notifications or phone calls prompting them to approve the login.
- The user, overwhelmed by the repeated requests, may inadvertently or intentionally approve one of the MFA requests.
- Upon successful MFA approval, the attacker gains unauthorized access to the user's Azure AD account (T1078.004).
- The attacker can now access applications and data protected by the compromised account.
- The attacker may escalate privileges or move laterally within the Azure environment.
Impact
Successful MFA fatigue attacks can lead to complete account compromise, giving attackers access to sensitive data and applications. The number of victims is difficult to quantify, but this technique is a growing concern across various sectors. The impact of a successful attack includes data breaches, financial loss, and reputational damage. The references highlight that even sophisticated threat actors are using this relatively simple but effective technique.
Recommendation
- Deploy the Sigma rule
Detect Multiple Failed Azure AD MFA Requeststo identify potential MFA fatigue attacks in your environment. Tune the threshold (count > 10) based on your organization's MFA usage patterns (Rule). - Implement number matching in MFA applications to mitigate the risk of users blindly approving requests (Reference: CISA Fact Sheet).
- Educate users about MFA fatigue attacks and emphasize the importance of carefully reviewing each MFA request before approving it.
- Investigate any alerts generated by the
Detect Multiple Failed Azure AD MFA Requestsrule, focusing on users with unusual login patterns or high-value accounts.
Detection coverage 2
Detect Multiple Failed Azure AD MFA Requests
highDetects multiple failed MFA requests for a single user, indicative of a potential MFA fatigue attack.
Azure AD MFA BOMBING
highDetects an unusual number of sign-in attempts for the same user, in order to detect an MFA bombing attack
Detection queries are available on the platform. Get full rules →