azure attacks azure-ad MFA fatigue attack

MFA fatigue attack

PLATFORM

SERVICE

azure-ad

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

medium

medium

About

When an attacker compromises the username and password of an employee, they may attempt to repeatedly send multi-factor authentication (MFA) requests. The employee may be overwhelmed by the number of MFA requests and approve one of them, allowing the attacker to gain access to the employee's account.

Understanding Impact

Business Impact

Compromised employee accounts often lead to data leaks, data loss, and unauthorized access to your Azure or corporate Microsoft 365 resources. In particular, Business Email Compromise (BEC) is a common attack vector that leverages compromised accounts.

Technical Impact

Such attacks are dubbed MFA fatigue attacks, and are commonly used by threat actors to "bypass" MFA.

Detection

You can use Azure AD sign-in logs to identify when several MFA requests are sent to—and denied by—the same user.

Sample event:

{
  "userPrincipalName": "user@domain.tld",
  "authenticationRequirement": "multiFactorAuthentication",
  "signInEventTypes": [
    "interactiveUser"
  ],
  "userType": "member",
  "status": {
    "errorCode": 500121,
    "failureReason": "Authentication failed during strong authentication request.",
    "additionalDetails": "The user didn't complete the MFA prompt. They may have decided not to authenticate, timed out while doing other work, or had an issue with their authentication setup."
  },
  "mfaDetail": {
    "authMethod": "Mobile app notification",
    "authDetail": null
  },
  "authenticationDetails": [
    {
      "authenticationStepDateTime": "2023-12-05T15:11:22Z",
      "authenticationMethod": "Password",
      "authenticationMethodDetail": "Password in the cloud",
      "succeeded": false,
      "authenticationStepResultDetail": "Authentication failed during strong authentication request.",
      "authenticationStepRequirement": ""
    },
    {
      "authenticationStepDateTime": "2023-12-05T15:11:30Z",
      "authenticationMethod": "Mobile app notification",
      "authenticationMethodDetail": null,
      "succeeded": false,
      "authenticationStepResultDetail": "MFA denied; user declined the authentication",
      "authenticationStepRequirement": ""
    }
  ]
}

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:

References

Multi-Factor Authentication Request Generation

attack.mitre.org

Defend your users from MFA fatigue attacks

techcommunity.microsoft.com

APT29 Abuses of Repeated MFA Push Notifications

mandiant.com

"Strawberry Tempest" uses MFA spamming

microsoft.com

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 10 positions

view all