KQL Search

Query Details

09 MFA Fatigue Silent Token Abuse

Query

id: c4d0e2f3-a8b9-1c5d-6e7f-8a9b0c1d2e3f
name: MFA Fatigue Attack - Push Bombing Followed by Silent Token Abuse
version: 1.0.0
kind: Scheduled
description: |
  Detects the MFA fatigue (push bombing) attack pattern: a user receives many failed MFA
  prompts (attacker bombards them), eventually authenticates (possibly by approving to
  make it stop), and then the attacker begins heavily using non-interactive tokens from
  that session. This is a common technique used by groups like LAPSUS$ and Scattered Spider.
  MITRE ATT&CK: T1621 (Multi-Factor Authentication Request Generation)
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
      - SigninLogs
queryFrequency: 1h
queryPeriod: 4h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CredentialAccess
  - DefenseEvasion
relevantTechniques:
  - T1621
  - T1078
  - T1528
query: |
  let MFAFatigue =
      SigninLogs
      | where TimeGenerated > ago(4h)
      | where ResultType in (50074, 500121, 50076)  // MFA required, denied, interrupted
      | summarize
          MFAAttempts  = count(),
          FirstAttempt = min(TimeGenerated)
        by UserPrincipalName;
  let MFASuccess =
      SigninLogs
      | where TimeGenerated > ago(4h)
      | where ResultType == 0
      | where AuthenticationRequirement == "multiFactorAuthentication"
      | summarize MFASuccessTime = min(TimeGenerated), SuccessIP = tostring(make_set(IPAddress)[0])
        by UserPrincipalName;
  MFAFatigue
  | where MFAAttempts >= 3
  | join kind=inner MFASuccess on UserPrincipalName
  | where MFASuccessTime > FirstAttempt
  | join kind=inner (
      AADNonInteractiveUserSignInLogs
      | where TimeGenerated > ago(4h)
      | where ResultType == 0
      | summarize NI_Count = count(), NI_Countries = make_set(Location), NI_IPs = make_set(IPAddress)
        by UserPrincipalName
    ) on UserPrincipalName
  | where NI_Count > 10
  | project
      UserPrincipalName,
      MFAAttempts,
      FirstMFAPrompt   = FirstAttempt,
      MFASuccessTime,
      SuccessIP,
      NI_Count,
      NI_Countries
  | order by MFAAttempts desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SuccessIP
customDetails:
  MFAAttempts: MFAAttempts
  NonInteractiveSignIns: NI_Count
  CountriesSeen: NI_Countries
alertDetailsOverride:
  alertDisplayNameFormat: "MFA Fatigue Attack - {{UserPrincipalName}} received {{MFAAttempts}} MFA prompts followed by silent token abuse"
  alertDescriptionFormat: "User {{UserPrincipalName}} received {{MFAAttempts}} MFA fatigue prompts. After approval, {{NI_Count}} non-interactive token refreshes followed. Matches MFA fatigue attack pattern."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect a specific type of cyberattack known as an "MFA Fatigue Attack" or "Push Bombing," followed by "Silent Token Abuse." Here's a simplified explanation of what the query does:

  1. Purpose: The query aims to identify situations where a user is bombarded with multiple Multi-Factor Authentication (MFA) prompts (often to the point of annoyance or fatigue), leading them to eventually approve one. After this approval, the attacker uses the session to perform numerous non-interactive sign-ins, which are typically automated and do not require user interaction.

  2. Data Sources: It uses data from Azure Active Directory, specifically looking at logs related to user sign-ins and non-interactive sign-ins.

  3. Detection Logic:

    • MFA Attempts: It first identifies users who have received at least three failed MFA prompts within the last four hours.
    • MFA Success: It then checks if these users eventually had a successful MFA sign-in.
    • Non-Interactive Sign-Ins: After a successful MFA, it looks for users who have more than ten non-interactive sign-ins from different locations or IPs within the same timeframe.

  4. Alert Generation: If the above conditions are met, the query generates an alert indicating a potential MFA fatigue attack. The alert includes details such as the number of MFA attempts, the time of the first MFA prompt, the time of successful MFA, the IP address used for the successful sign-in, and the number of non-interactive sign-ins.

  5. Severity and Response: The alert is marked with high severity, and an incident is created for further investigation. The system is configured to group related alerts by user account to streamline incident management.

  6. MITRE ATT&CK Framework: The query references specific techniques from the MITRE ATT&CK framework, which is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

In summary, this query is a security measure to detect and alert on suspicious patterns of MFA usage that could indicate an attack, helping organizations to respond quickly to potential security breaches.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

SigninLogsAADNonInteractiveUserSignInLogsUserPrincipalNameIPAddressLocationMFAAttemptsMFAFatigueMFASuccessTimeSuccessIPNI_CountNI_Countries

Operators

letinsummarizebywhereagojoinkindonprojectorderdescmincountmake_settostring

Actions