MFA fatigue attack







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




When an attacker compromises the username and password of an employee, they may attempt to repeatedly send multi-factor authentication (MFA) requests. The employee may be overwhelmed by the number of MFA requests and approve one of them, allowing the attacker to gain access to the employee's account.

Understanding Impact

Business Impact

Compromised employee accounts often lead to data leaks, data loss, and unauthorized access to your Azure or corporate Microsoft 365 resources. In particular, Business Email Compromise (BEC) is a common attack vector that leverages compromised accounts.

Technical Impact

Such attacks are dubbed MFA fatigue attacks, and are commonly used by threat actors to "bypass" MFA.


You can use Azure AD sign-in logs to identify when several MFA requests are sent to—and denied by—the same user.

Sample event:

  "userPrincipalName": "user@domain.tld",
  "authenticationRequirement": "multiFactorAuthentication",
  "signInEventTypes": [
  "userType": "member",
  "status": {
    "errorCode": 500121,
    "failureReason": "Authentication failed during strong authentication request.",
    "additionalDetails": "The user didn't complete the MFA prompt. They may have decided not to authenticate, timed out while doing other work, or had an issue with their authentication setup."
  "mfaDetail": {
    "authMethod": "Mobile app notification",
    "authDetail": null
  "authenticationDetails": [
      "authenticationStepDateTime": "2023-12-05T15:11:22Z",
      "authenticationMethod": "Password",
      "authenticationMethodDetail": "Password in the cloud",
      "succeeded": false,
      "authenticationStepResultDetail": "Authentication failed during strong authentication request.",
      "authenticationStepRequirement": ""
      "authenticationStepDateTime": "2023-12-05T15:11:30Z",
      "authenticationMethod": "Mobile app notification",
      "authenticationMethodDetail": null,
      "succeeded": false,
      "authenticationStepResultDetail": "MFA denied; user declined the authentication",
      "authenticationStepRequirement": ""

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:


Multi-Factor Authentication Request Generation

Defend your users from MFA fatigue attacks

APT29 Abuses of Repeated MFA Push Notifications

"Strawberry Tempest" uses MFA spamming

Did you find this article helpful?